SEC tightens rules around data breach disclosures

SEC tightens rules around data breach disclosures
Updates to a 24-year-old rule will require firms, including broker-dealers and RIAs, to prevent cyber risks and notify clients of incidents.
MAY 16, 2024

The SEC is sharpening its focus on cybersecurity breaches at broker dealers and RIAs, among other financial institutions, with an update to a 24-year-old rule.

In a move to modernize regulation around how certain institutions handle customers’ nonpublic personal information, the federal agency announced Thursday that it has adopted critical amendments to Regulation S-P.

This move is intended to address the growing risks associated with technological advancements since the rule's initial adoption in 2000. Under the amendments, broker-dealers, investment companies, registered investment advisers, and transfer agents will have to meet new requirements to safeguard customer data.

 “Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” SEC Chair Gary Gensler said in a statement. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data.”

Among the updates to Regulation S-P, covered institutions are mandated to establish written policies and procedures for an incident response program. This program must include measures to detect, respond to, and recover from unauthorized access to or use of customer information.

With certain limited exceptions, the new rules also require firms to notify affected individuals, or those reasonably likely to have been affected, as soon as practicable, but no later than 30 days after the institution becomes aware of a breach.

In providing notice to impacted customers, institutions must detail the incident, the compromised data, and steps individuals can take to protect themselves, the SEC said.

“The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify,” Gensler said. “That’s good for investors.”

Last July, Schwab disclosed a breach linked to the high-profile MOVEit software cyberattack, potentially exposing the data of tens of thousands of clients on its platform and that of its subsidiary TD Ameritrade.

In March, Finra slapped Osaic and Securities America with separate $150,000 fines over cybersecurity and data protection failures that ran from January 2021 up to that month. Those shortfalls, it said, constituted violations of Regulation S-P.

In a filing to the Office of the Maine Attorney General earlier this month, JPMorgan reported it had discovered a vulnerability that affected over 451,000 participants in its retirement plans.

SEC’s newly announced amendments will become effective 60 days after their publication in the Federal Register.

Larger firms have 18 months from the date of publication to comply with the new regulations, while smaller entities will have a longer 24-month window to become compliant.

Latest News

Osaic's ex-CFO Kristy Britt joins PE-backed accounting firm Wipfli
Osaic's ex-CFO Kristy Britt joins PE-backed accounting firm Wipfli

Britt is named CFO of Wipfli, a $600 million accounting firm that audits two NFL franchises

YCharts acquires Informa's Zephyr to bolster SMA analytics for advisors
YCharts acquires Informa's Zephyr to bolster SMA analytics for advisors

The acquisition pairs Zephyr's 21,000-product separately managed account database with YCharts' newly launched AI agent assistant for investment research.

Advisor moves: Raymond James, Ameriprise, and Janney announce additions in Florida
Advisor moves: Raymond James, Ameriprise, and Janney announce additions in Florida

The war for talent continues in the Sunshine State with as Truist and RayJay teams managing a collective $1 billion in client assets defect to other firms.

Retirement’s new magic number? Workers say they’ll need $1.2 million
Retirement’s new magic number? Workers say they’ll need $1.2 million

Americans now estimate they need $1.2 million to retire comfortably, but rising costs and debt are making that goal increasingly difficult to reach.

Can mega RIAs go public? Integration may decide it, veteran leaders say
Can mega RIAs go public? Integration may decide it, veteran leaders say

Crewe Advisors' Ryan Halliday and Accelerated Wealth Partners' Eric Amar suggest mega RIA's readiness to integrate — not just scale — will determine whether an IPO exit actually works.

SPONSORED Direct indexing webinar targets tax-loss harvesting amid market swings

Northern Trust’s Ken Lassner shows advisors how to convert volatility into after-tax portfolio gains

SPONSORED Who builds the income when the pension disappears?

Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income