The U.S. Securities and Exchange Commission’s focus on cybersecurity continues in its most recent effort to modernize financial privacy rules and emphasize transparency between SEC-regulated entities who suffer from a cyber breach and the individuals impacted by the breach. The SEC’s latest proposals focus on registrants including broker-dealers, investment advisors, and investment companies, and seek to impose cyberbreach disclosure requirements similar to those the SEC previously proposed for public companies.
On March 15, 2023, the SEC proposed amendments to current data privacy rules that would require covered firms to adopt written policies and procedures for incident response programs. Under the proposed amendments, such policies and procedures must address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. The proposed changes would come through amendments to rules under Regulation S-P.
Regulation S-P currently requires covered registrants to notify customers about how they use their financial information, but it does not require them to notify customers about breaches. The proposed amendments would also ensure that breaches are properly identified, and that sensitive customer data is monitored to determine whether it was accessed.
In announcing the proposed amendments, Chairman Gensler explained that investors would benefit from a financial privacy rule “more modern than the AOL era.”