As coincidence would have it, the SEC adopted its updated cybersecurity rule changes on the same day that international brokerage and custodian Interactive Brokers reported a customer data breach.
The firm filed a sample letter on May 16 with the Massachusetts Attorney General as an example of what it would send to around 600 clients whose personal information was exposed during a data breach in January, InvestmentNews and CityWire first reported.
The SEC’s long-awaited rule changes, also announced on May 16, are an update to Regulation S-P, which was first adopted in 2000. Those rules required broker/dealers, investment companies and RIAs to adopt written policies and procedures to safeguard customer records and information. They also mandated the disposal of consumer information and privacy policy notices and opt-out provisions.
The newly adopted amendments require institutions to maintain written cyber breach incident response program procedures and notify affected customers promptly. The program must detect the scope of any breach and outline steps to prevent further leaks. Customers must be informed about such occurrences as soon as possible but no later than 30 days after the company becomes aware of a breach.
“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” SEC Chair Gary Gensler said in a statement. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
Michael Cocanower, founder and CEO of AdviserCyber, said these new regulations reflect the SEC’s increasingly typical focus on cybersecurity. The landscape has changed drastically in the 24 years since the original Regulation S-P was put into place, he said.
“This is likely to be the first of several dominoes to fall as it relates to the SEC’s heightened focus on cybersecurity and protecting the investing public from cybersecurity incidents at the firms they trust the most to hold and manage their savings and investments,” he said.
The notification requirements allow customers to take defensive measures once their data has been exposed. Cocanower said he thought the 30-day window was sufficient to perform an investigation and deliver the notices as required to customers. However, that doesn’t mean it will be easy.
“I don’t see any way that a firm, especially a small- or mid-sized one, would have the resources to do this alone,” he said.
While the new regulations require written response policies and customer reporting, they do not mandate companies carry separate cyber insurance policies. Cocanower said proactively purchasing these policies separately from E&O can be an essential safeguard if a breach occurs.
“Those policies can generally bring significant resources to bear in a very short timeframe that can cover everything from technical mitigation, investigation, legal counsel and resources for customer notification … as well as an offer of credit monitoring services,” he said.
The SEC’s amendments will become effective 60 days after publication in the Federal Register. Larger entities will have 18 months after the date of publication to comply with the amendments, and smaller entities will have 24 months.
Take a look at our comprehensive guide to the best and most popular information ebooks and products available today on Detoxing, Colon Cleansing, Weight Loss and Dating and Romance. They are all in one spot, easy to find and compere to make a quick selection for the product that best fits your needs or wants.
So browse through a category and make your preferred selection and come back here to read more choice articles and get a few more helpful tips on ways to help your enhancement.
As an Amazon Associate I earn from qualifying purchases. “saubiosaubiosuccess.com is a participant in third party affiliate and advertising programs; The Amazon Services LLC Associates Program, Awin network, and other affiliate advertising programs are designed to provide a means for sites to earn advertising fees and commissions by advertising and linking to products on other sites and on Amazon.com. Amazon and the Amazon logo are trademarks of Amazon.com, Inc, or its affiliates.”
We use anonymous cookies and various 3rd-party services to optimise and to offer you a better, more personalised, browsing experience with advanced accessibility enhancements.
Dismiss
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
