Thursday, October 3, 2024
Homecyber securityFinancial Organizations Need To Disclose Data Breach Within 30-Days

Financial Organizations Need To Disclose Data Breach Within 30-Days

Published on

The U.S. Securities and Exchange Commission (SEC) has made changes to Regulation S-P that require financial companies to report data leaks within 30 days. This is a big step toward protecting consumers.

This new rule, which goes into force on May 15, 2024, is meant to strengthen and update the protections for consumer financial information.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

- Advertisement - EHA

Background on Regulation S-P

Since its introduction in 2000, SEC Regulation S-P has required broker-dealers, investment companies, and licensed investment advisers to protect customer records and information with written policies and procedures.

The rule also explains how to properly delete consumer report information and requires privacy policy notices and opt-out choices.

Over the years, improvements in technology have made data breaches more likely, which is why these changes were needed.

Key Amendments to Regulation S-P

Incident Response Program

The changes say that institutions that are protected must create, use, and keep up with an incident response program.

This program needs to be able to find, stop, and fix instances of customer data being accessed or used without permission. Some critical parts of the incident response method are:

  • How to Find and Respond: Steps to find and stop people from accessing or using customer information without permission.
  • Steps to stop more unauthorized entry or use are called containment and control.
  • Oversight of Service Providers: Rules to make sure service providers do their jobs right and are watched over.

Customer Notification Requirement

One of the changes’ most essential parts is that people who will be impacted must be notified promptly.

When covered organizations learn of a breach, they have 30 days to tell people whose sensitive information has been accessed or used without their permission. This must be in the notice:

  • Details of the Incident: Information about what kind of breach it was and how big it was.
  • Breached Data: Details about the data that was lost or stolen.
  • Protective Measures: Advice on how people who are impacted can keep themselves safe.

Information with a broader range

The changes also allow Regulation S-P to address more types of information.

This includes private, non-public information that the bank gathers about its customers and information it gets from other banks about their customers.

Additional Provisions

Along with these important changes, the changes to Regulation S-P also include the following:

  • Protections and Rules for Disposal: Covers all nonpublic personal information that was added.
  • Needs for Keeping Records: Covered institutions, but not funding websites, must keep written records that show they follow the rules for disposal and safety.
  • Privacy Notice Every Year: Under the FAST Act, institutions don’t have to send a yearly privacy notice if certain conditions are met.
  • Extension to Transfer Agents: The rules for both protection and disposal now apply to transfer agents who are registered with the SEC or another regulatory body.

The changes the SEC made to Regulation S-P are a big step toward keeping people’s banking information safe.

By requiring financial companies to report data breaches within 30 days, the SEC hopes to ensure that customers are quickly informed and can take the steps they need to stay safe.

These changes show how data security is changing and how vital means are needed to protect private data in a world that is becoming more and more digital.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...

ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats

ANY.RUN announced an upgrade to its Threat Intelligence Portal, enhancing its capabilities to identify...

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...