Coincidentally, the SEC approved updated cybersecurity rule changes on the same day that international brokerage and custodian Interactive Brokers reported a customer data breach.
The firm filed a sample letter May 16 with the Massachusetts attorney general as an example of what it would send to about 600 customers whose personal information was exposed during a data breach in January. Investment News AND CityWire reported for the first time.
The SEC's long-awaited rule changes, also announced on May 16, are an update to Regulation PSwhich was first enacted in 2000. These rules required broker/dealers, investment companies and RIAs to adopt written policies and procedures to store customer data and information. They also mandated the disposal of consumer information and privacy policy notices and opt-out provisions.
The newly enacted changes require institutions to maintain written cyber breach incident response program procedures and promptly notify affected customers. The program should disclose the intent of each breach and outline steps to prevent further breaches. Customers must be informed of such occurrences as soon as possible, but no later than 30 days after the company becomes aware of a breach.
“Over the past 24 years, the nature, scale and impact of data breaches has transformed significantly,” SEC Chairman Gary Gensler said in a statement. “These changes to Regulation SP will make critical updates to a rule first enacted in 2000 and help protect the privacy of customers' financial data. The basic idea for covered firms is that if you have a breach, then you must notify. This is good for investors.”
Michael Cocanower, founder and CEO of AdviserCybersaid these new regulations reflect the SEC's increasingly typical focus on cybersecurity. The landscape has changed drastically in the 24 years since the implementation of the original SP Regulation, he said.
“This is likely to be the first of several dominoes to fall as it relates to the SEC's increased focus on cybersecurity and protecting the investing public from cybersecurity incidents at the firms most trusted to maintain and manage their savings and investments,” he said. .
Notification requirements allow customers to take protective measures after their data has been exposed. Cocanower said he thought the 30-day period was sufficient to conduct an investigation and deliver the required notices to customers. However, that doesn't mean it will be easy.
“I don't see any way that a firm, especially a small or mid-sized one, would have the resources to do this alone,” he said.
While the new regulations require written customer response and reporting policies, they do not mandate companies to maintain separate cyber insurance policies. Cocanower said proactively purchasing these policies separately from E&O can be a crucial defense if a breach occurs.
“These policies can generally bring significant resources to bear in a very short time frame that can cover everything from technical mitigation, investigation, legal advice and customer notification resources … as well as offering credit monitoring services, he said.
The SEC's amendments will take effect 60 days after publication in the Federal Register. Larger entities will have 18 months after the publication date to comply with the changes, and smaller entities will have 24 months.