Friday, November 15, 2024
Homecyber securityFinancial Organizations Need To Disclose Data Breach Within 30-Days

Financial Organizations Need To Disclose Data Breach Within 30-Days

Published on

The U.S. Securities and Exchange Commission (SEC) has made changes to Regulation S-P that require financial companies to report data leaks within 30 days. This is a big step toward protecting consumers.

This new rule, which goes into force on May 15, 2024, is meant to strengthen and update the protections for consumer financial information.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

- Advertisement - SIEM as a Service

Background on Regulation S-P

Since its introduction in 2000, SEC Regulation S-P has required broker-dealers, investment companies, and licensed investment advisers to protect customer records and information with written policies and procedures.

The rule also explains how to properly delete consumer report information and requires privacy policy notices and opt-out choices.

Over the years, improvements in technology have made data breaches more likely, which is why these changes were needed.

Key Amendments to Regulation S-P

Incident Response Program

The changes say that institutions that are protected must create, use, and keep up with an incident response program.

This program needs to be able to find, stop, and fix instances of customer data being accessed or used without permission. Some critical parts of the incident response method are:

  • How to Find and Respond: Steps to find and stop people from accessing or using customer information without permission.
  • Steps to stop more unauthorized entry or use are called containment and control.
  • Oversight of Service Providers: Rules to make sure service providers do their jobs right and are watched over.

Customer Notification Requirement

One of the changes’ most essential parts is that people who will be impacted must be notified promptly.

When covered organizations learn of a breach, they have 30 days to tell people whose sensitive information has been accessed or used without their permission. This must be in the notice:

  • Details of the Incident: Information about what kind of breach it was and how big it was.
  • Breached Data: Details about the data that was lost or stolen.
  • Protective Measures: Advice on how people who are impacted can keep themselves safe.

Information with a broader range

The changes also allow Regulation S-P to address more types of information.

This includes private, non-public information that the bank gathers about its customers and information it gets from other banks about their customers.

Additional Provisions

Along with these important changes, the changes to Regulation S-P also include the following:

  • Protections and Rules for Disposal: Covers all nonpublic personal information that was added.
  • Needs for Keeping Records: Covered institutions, but not funding websites, must keep written records that show they follow the rules for disposal and safety.
  • Privacy Notice Every Year: Under the FAST Act, institutions don’t have to send a yearly privacy notice if certain conditions are met.
  • Extension to Transfer Agents: The rules for both protection and disposal now apply to transfer agents who are registered with the SEC or another regulatory body.

The changes the SEC made to Regulation S-P are a big step toward keeping people’s banking information safe.

By requiring financial companies to report data breaches within 30 days, the SEC hopes to ensure that customers are quickly informed and can take the steps they need to stay safe.

These changes show how data security is changing and how vital means are needed to protect private data in a world that is becoming more and more digital.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...