May 17, 2024 at 02:16PM
The SEC will implement new data-breach reporting regulations for financial firms, aiming to modernize consumer data protection rules. The amendments require institutions to address technology risks, develop incident response programs, and notify affected individuals of any breaches. SEC Chair Gary Gensler notes the significant changes in data breaches over the past 24 years. Compliance deadlines vary based on entity size.
Based on the meeting notes, the Securities and Exchange Commission (SEC) has announced new data-breach reporting regulations for certain financial firms. The new requirements are aimed at modernizing and enhancing the rules governing the treatment of consumers’ nonpublic personal information by specific financial institutions. These amendments have been updated to address the growing use of technology and the risks it poses. Institutions are now required to develop, implement, and maintain an incident response program to respond to and recover from unauthorized access to customer information. This program, among other things, obligates institutions to notify individuals whose sensitive information was compromised and to provide details of the breach and guidance on how affected customers can protect themselves. SEC Chair Gary Gensler highlighted the substantial transformation in the nature, scale, and impact of data breaches over the last 24 years and emphasized that the amendments to Regulation S-P would make critical updates to protect the privacy of customers’ financial data. The amendments will go into effect 60 days after publication in the Federal Register, and larger entities will have 18 months to comply, while smaller entities will have 24 months.