The 30-Day Deadline
The Securities and Exchange Commission (SEC) is demanding financial institutions to report security vulnerabilities within 30 days of discovering them.
Why the Change?
On Wednesday, the SEC adopted revisions to Regulation S-P, which controls how consumers' personal information is handled. The revisions require institutions to tell individuals whose personal information has been compromised "as soon as practicable, but no later than 30 days" after discovering of illegal network access or use of consumer data. The new criteria will apply to broker-dealers (including financing portals), investment businesses, licensed investment advisers, and transfer agents.
"Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially. These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for the investor,” said SEC Chair Gary Gensler.
Challenges and Compliance
Notifications must describe the occurrence, what information was compromised, and how impacted individuals can protect themselves. In what appears to be a loophole in the regulations, covered institutions are not required to provide alerts if they can demonstrate that the personal information was not used in a way that caused "substantial harm or inconvenience" or is unlikely to do so.
The revisions compel covered institutions to "develop, implement, and maintain written policies and procedures" that are "reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information." The amendments include:
The standards also increase the extent of nonpublic personal information protected beyond what the firm gathers. The new restrictions will also apply to personal information received from another financial institution.
SEC Commissioner Hester M. Peirce expressed concern that the new regulations could go too far.
Best Practices
"Today’s Regulation S-P modernization will help covered institutions appropriately prioritize safeguarding customer information," she said. "Customers will be notified promptly when their information has been compromised so they can take steps to protect themselves, like changing passwords or keeping a closer eye on credit scores. My reservations stem from the rule's breadth and the likelihood that it will spawn more consumer notices than are helpful."
Regulation S-P has not been substantially modified since its adoption in 2000.
Last year, the SEC enacted new laws requiring publicly traded businesses to disclose security breaches that have materially affected or are reasonably projected to damage business, strategy, or financial results or conditions.
