Financial Organizations Need To Disclose Data Breach Within 30-Days

The U.S. Securities and Exchange Commission (SEC) has made changes to Regulation S-P that require financial companies to report data leaks within 30 days. This is a big step toward protecting consumers.

This new rule, which goes into force on May 15, 2024, is meant to strengthen and update the protections for consumer financial information.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Background on Regulation S-P

Since its introduction in 2000, SEC Regulation S-P has required broker-dealers, investment companies, and licensed investment advisers to protect customer records and information with written policies and procedures.

The rule also explains how to properly delete consumer report information and requires privacy policy notices and opt-out choices.

Over the years, improvements in technology have made data breaches more likely, which is why these changes were needed.

Key Amendments to Regulation S-P

Incident Response Program

The changes say that institutions that are protected must create, use, and keep up with an incident response program.

This program needs to be able to find, stop, and fix instances of customer data being accessed or used without permission. Some critical parts of the incident response method are:

• How to Find and Respond: Steps to find and stop people from accessing or using customer information without permission.
• Steps to stop more unauthorized entry or use are called containment and control.
• Oversight of Service Providers: Rules to make sure service providers do their jobs right and are watched over.

Customer Notification Requirement

One of the changes’ most essential parts is that people who will be impacted must be notified promptly.

When covered organizations learn of a breach, they have 30 days to tell people whose sensitive information has been accessed or used without their permission. This must be in the notice:

• Details of the Incident: Information about what kind of breach it was and how big it was.
• Breached Data: Details about the data that was lost or stolen.
• Protective Measures: Advice on how people who are impacted can keep themselves safe.

Information with a broader range

The changes also allow Regulation S-P to address more types of information.

This includes private, non-public information that the bank gathers about its customers and information it gets from other banks about their customers.

Additional Provisions

Along with these important changes, the changes to Regulation S-P also include the following:

• Protections and Rules for Disposal: Covers all nonpublic personal information that was added.
• Needs for Keeping Records: Covered institutions, but not funding websites, must keep written records that show they follow the rules for disposal and safety.
• Privacy Notice Every Year: Under the FAST Act, institutions don’t have to send a yearly privacy notice if certain conditions are met.
• Extension to Transfer Agents: The rules for both protection and disposal now apply to transfer agents who are registered with the SEC or another regulatory body.

The changes the SEC made to Regulation S-P are a big step toward keeping people’s banking information safe.

By requiring financial companies to report data breaches within 30 days, the SEC hopes to ensure that customers are quickly informed and can take the steps they need to stay safe.

These changes show how data security is changing and how vital means are needed to protect private data in a world that is becoming more and more digital.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers