As addressing cybersecurity issues continues to become a top priority throughout the global financial industry, the U.S. Securities and Exchange Commission (SEC) is following suit. The SEC unanimously voted to approve a new set of cybersecurity rules last May designed to ensure that broker-dealers, investment advisers, and transfer agents have robust measures in place to not only detect data breaches but to notify customers when they may be affected by one.  

Firms subject to these new rules have long been held to high standards when it comes to the protection of their client’s non-public private information, but with cybercrimes surging in recent years the SEC determined that further measures were necessary. Reported data compromises jumped from 1,801 to 3,205 between 2022 and 2023, a shocking 78% leap. Victims of these breaches totaled nearly 350,000,000 people and cost a record USD$4.45 million. 

With the clock now ticking for those looking to remain compliant in light of these new rules—and with more potentially coming down the pipeline—it’s important to understand what measures affected firms must now take to protect client data and keep them informed in the event of a cyber incident. Take a look at these key considerations for a clearer picture. 

Key Considerations

• The new rules in the US are a set of amendments to Regulation S-P, introduced in 2000 to ensure that investment companies and advisers as well as broker-dealers protect their clients’ information and records through written policy and procedures.
• Covered institutions are now required to adopt an incident response programme into their written policies and procedures designed to identify and respond to data breaches. It is not required, but encouraged, to continually review and update this incident response programme.
• Procedures must outline a plan to “assess the nature and scope” of cyber incidents and for “appropriate steps to contain and control such incidents”.
• Key in these new amendments is the requirement to notify any individuals “whose sensitive customer information was, or is reasonably likely to have been accessed, or used without authorisation in the event of a data breach”.
• “Sensitive customer information” includes not only the sensitive non-public information of direct customers, but of any customers of financial institutions whose information has been shared with the covered institution. This expanded definition also applies to the Safeguard and Disposal Rules.
• While firms may use service providers to fulfill their obligation to notify affected customers, the firm remains responsible for ensuring that notification requirements are met.
• Larger firms are afforded an 18-month compliance period while smaller firms have been allowed 24 months. These windows begin from the date of the amendment’s publication in the Federal Register.

Remaining Compliant with Evolving Cybersecurity Regulations

Cyber incidents are only becoming more common and more damaging to both affected companies and the customers whose information has been compromised. It should be expected that more regulations seeking to better protect data breach victims are soon to come. In fact, these new amendments to Regulation S-P represent just one of three cybersecurity measures proposed by the SEC this year. 

Ideally, tighter cybersecurity regulations will benefit all entities involved, but those benefits come with the caveat of changes to compliance. Covered firms must be sure to understand the nuances of these rule changes, some of which are subtle, to ensure that they are fully compliant within the given window. 

Perhaps the most important aspect of these rule changes is the requirement that an incident response programme must be adopted and written into policies and procedures. Compliance with this amendment not only requires proof of an adequate incident response programme but the effective execution of that programme in the event of a data breach.

Firms looking to remain compliant should identify key players in their incident response programme, assign them specific roles, and ensure that they receive the necessary training for a fast and effective response to any cyber incidents. In light of the new SEC rules, this training should outline and emphasise a plan for notifying customers. 

Utilising third-party cyber incident response services can not only help ensure compliance, but greatly reduce both reputational and financial damage incurred by a data breach. Outsourcing provides firms with access to an expert incident response team and state-of-the-art technology that can help them strengthen their cyber security plan and satisfy SEC regulations. 

Running simulated incident responses is becoming common practice for many organisations, and third-party service providers can help to run those exercises effectively. Simulating a cyber incident offers hands-on experience and can help to expose vulnerabilities in the response plan which can then be accounted for and addressed.

Conclusion

As the use of technology in the financial sector continues to expand and evolve, and the number of data breaches continues to grow, new rules and regulations seeking to keep pace with both should be anticipated. Remaining compliant means keeping a close eye on what’s coming down the pipeline, understanding how new rules and regulations will impact your current policies and procedures, and being proactive with necessary adjustments. 

Whether you’re working internally or with a third-party service provider, it’s crucial to stay ahead of the curve with these evolving rules, as addressing cybersecurity issues is without a doubt a top priority of the US' SEC today and will continue to be going forward.