SEC Adopts Updated Cybersecurity Rules

Coincidentally, the SEC adopted updated changes to cybersecurity regulations on the same day that international brokerage and custodian Interactive Brokers reported a customer data breach.

As first reported by InvestmentNews and CityWire, the company submitted a sample letter to the Massachusetts attorney general on May 16 as an example of what it will send to about 600 customers whose personal information was exposed during the January data breach.

Related: How artificial intelligence is causing fraud and scams to skyrocket

The long-awaited SEC rule changes, also announced on May 16, update Regulation SP, which was first adopted in 2000. These rules required broker/dealers, investment firms and RIAs to adopt written policies and procedures to protect client records and Information. They also ordered the removal of consumer information and privacy notices and opt-out provisions.

The newly adopted changes require institutions to maintain written cyber incident response program procedures and promptly notify affected customers. The program must detect the scope of any breaches and plan steps to prevent further leaks. Customers must be informed of such events as soon as possible, but no later than 30 days from the date on which the company became aware of the breach.

Related: The Redtail incident reveals challenges with cybersecurity standards

“Over the past 24 years, the nature, scale and impact of data breaches have changed significantly,” SEC Chairman Gary Gensler said in a statement. “These changes to Regulation SP will provide a critical update to a rule first adopted in 2000 and help protect the privacy of customers’ financial information. The basic idea behind covered companies is that if a breach has occurred, you must report it. It’s good for investors.”

Michael Cocanower, founder and CEO of AdviserCyber, said these new regulations reflect the SEC’s increasingly typical focus on cybersecurity. He said the landscape has changed dramatically in the 24 years since the original SP regulation was introduced.

“This will likely be the first of several dominoes to fall as the SEC increases its focus on cybersecurity and protecting investors from cybersecurity incidents at the companies they trust most to hold and manage their savings and investments,” he said. .

Notification requirements enable customers to take protective measures if their data is disclosed. Cocanower said he believed the 30-day period would be sufficient to conduct an investigation and provide customers with requested notices. However, that doesn’t mean it will be easy.

“I don’t see how a company, especially a small or medium-sized company, has the resources to do this on their own,” he said.

While the new regulations require written customer response and reporting policies, they do not require companies to have separate cybersecurity insurance policies. Cocanower said that proactively purchasing these policies separately from E&O can provide important protection in the event of a breach.

“These policies can typically provide significant resources in a very short period of time, which can include everything from technical mitigations, investigations, legal advice and customer notification resources… as well as the offering of credit monitoring services,” he said.

The SEC’s amendments will become effective 60 days after publication in the Federal Register. Larger entities will have 18 months from the date of publication to adapt to the changes, while smaller entities will have 24 months.