SEC Cybersecurity Rules Mandate New Procedures for Data Breaches

The SEC announced on May 16 that it is requiring certain kinds of financial institutions to have detailed plans for what process to follow when a data breach involving customer information occurs. The SEC cybersecurity rules also mandate procedures for providing notice to customers whose sensitive information has been accessed or leaked.

The newly amended SEC cybersecurity rules are in addition to reporting regulations that force all public companies to notify the agency of “material” incidents. The Record reports that earlier this month, New York Rep. Andrew Garbarino renewed his effort to rescind the incident reporting rule. He argues that the SEC is not capable of dealing with cybersecurity and that incident reports expose victimized companies to more attacks. The White House says it will veto any such legislation. 

SEC Chair Gary Gensler says the amendments are necessary due to the greater scale and impact of data breaches since the original regulation went into effect. “The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify,” Gensler said. “That’s good for investors.”

The amendment will take effect two months after the rule is published in the Federal Register. Large companies will have 18 months to comply. Smaller ones will have two years. The SEC hasn’t announced how it plans to distinguish between large and small entities. The notifications must take place as soon as possible, and no later than 30 days after covered entities become aware that customer information has been leaked. 

Cybersecurity experts are on board with the amended rule, according to the Record. Several argued that years of voluntary rules contributed to a laid-back attitude that many organizations have with respect to cyberattacks and breaches.