The Securities and Exchange Commission (SEC) is demanding financial institutions to report security vulnerabilities within 30 days of discovering them.
Why the Change?
On Wednesday, the SEC adopted revisions to Regulation S-P, which controls how consumers’ personal information is handled. The revisions require institutions to tell individuals whose personal information has been compromised “as soon as practicable, but no later than 30 days” after discovering of illegal network access or use of consumer data. The new criteria will apply to broker-dealers (including financing portals), investment businesses, licensed investment advisers, and transfer agents.
“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially. These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for the investor,” said SEC Chair Gary Gensler.
Challenges and Compliance
Notifications must describe
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.