PYMNTS MonitorEdge May 2024

SEC: Data Breaches at Financial Institutions Must Be Reported in 30 Days

New federal regulations give some financial institutions (FIs) a tighter deadline for reporting security breaches.

The Securities and Exchange Commission (SEC) adopted changes last week that require institutions to notify people whose data was compromised “as soon as practicable, but not later than 30 days” after learning of a breach.

The new amendments to SEC’s Regulation S-P apply to broker-dealers — including funding portals — investment companies, registered investment advisers and transfer agents, the commission said. 

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” SEC Chair Gary Gensler said in a news release.

“These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”

According to the SEC, FIs must include details about information that was compromised, and the steps affected consumers can take to protect themselves.

The requirements also broaden the scope of nonpublic personal information covered beyond what the firm itself collects. The new rules will also cover personal information the firm has received from another financial institution.

The new rules were flagged in a report this weekend by Ars Technica, which also included comments from SEC Commissioner Hester M. Peirce, who suggested the rules may be too much.

“My reservations stem from the breadth of the rule and the likelihood that it will spawn more consumer notices than are helpful,” she said.

The Ars Technica report also noted that the requirements contain an apparent loophole, in that the FIs don’t need to issue notices if they show that the personal information has not been used in a way that leads to in “substantial harm or inconvenience” or isn’t likely to.

The SEC’s changes are happening — as Gensler indicated — as companies deal with a growing threat of cyberattacks, to the point that 90% of companies say that their cyber risks have increased in the last year, according to one recent report.

This follows a wave of recent cybersecurity incidents, such as the breach last summer at MGM Resorts’ hotel and casino system, along with February’s attack on UnitedHealth Group’s Change Healthcare business, which crippled portions of the American healthcare system.

These incidents — as well as a more recent data breach at Dell — put a spotlight on the cost of lax cybersecurity standards, PYMNTS wrote earlier this month.

“To mitigate the risk of cyberattacks, companies must develop a robust cybersecurity framework that encompasses not only the latest technological defenses but also a strong emphasis on human factors,” the report said. “Regular training programs, rigorous security protocols, and a culture of vigilance among employees can enhance an organization’s ability to defend against cyber threats.”