By Bill Toulas on Friday, 17 May 2024
Category: Compliance

SEC: Financial orgs have 30 days to send data breach notifications

The Securities and Exchange Commission (SEC) has adopted amendments to Regulation S-P that require certain financial institutions to disclose data breach incidents to impacted individuals within 30 days of discovery.

Regulation S-P was introduced in 2000 and controls how some financial entities must treat nonpublic personal information belonging to consumers. These rules include developing and implementing data protection policies, confidentiality and security assurances, and protecting against anticipated threats.

The new amendments adopted earlier this week impact financial firms, such as broker-dealers (funding portals included), investment firms, registered investment advisers, and transfer agents. 

The modifications were initially proposed in March of last year to modernize and improve the protection of individual financial information from data breaches and exposure to non-affiliated parties.

Below is a summary of the introduced changes:


The modifications represent an important update to a rule initially adopted in 2000 that could no longer adequately protect customers' financial data privacy in today's cybersecurity landscape.

"Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially," said SEC Chair Gary Gensler. 

"These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers' financial data."

"The basic idea for covered firms is if you've got a breach, then you've got to notify. That's good for investors."

The amendments take effect 60 days after publication in the Federal Register, the official journal of the U.S. federal government, including agency rules, proposed rules, and public notices.

Larger organizations have a compliance date of 18 months after the modifications are published in the Federal Register. For smaller entities, the period extends to two years.

In December, the SEC also introduced new rules requiring all public companies to disclose that they suffered a breach if it materially affected or is reasonably likely to materially affect business strategy, results of operations, or financial condition.

Related Posts

Leave Comments