As coincidence would have it, the SEC adopted its updated cybersecurity rule changes on the same day that international brokerage and custodian Interactive Brokers reported a customer data breach.
The firm filed a sample letter on May 16 with the Massachusetts Attorney General as an example of what it would send to around 600 clients whose personal information was exposed during a data breach in January, InvestmentNews and CityWire first reported.
The SEC’s long-awaited rule changes, also announced on May 16, are an update to Regulation S-P, which was first adopted in 2000. Those rules required broker/dealers, investment companies and RIAs to adopt written policies and procedures to safeguard customer records and information. They also mandated the disposal of consumer information and privacy policy notices and opt-out provisions.
The newly adopted amendments require institutions to maintain written cyber breach incident response program procedures and notify affected customers promptly. The program must detect the scope of any breach and outline steps to prevent further leaks. Customers must be informed about such occurrences as soon as possible but no later than 30 days after the company becomes aware of a breach.
“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” SEC Chair Gary Gensler said in a statement. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
Michael Cocanower, founder and CEO of AdviserCyber, said these new regulations reflect the SEC’s increasingly typical focus on cybersecurity. The landscape has changed drastically in the 24 years since the original Regulation S-P was put into place, he said.
“This is likely to be the first of several dominoes to fall as it relates to the SEC’s heightened focus on cybersecurity and protecting the investing public from cybersecurity incidents at the firms they trust the most to hold and manage their savings and investments,” he said.
The notification requirements allow customers to take defensive measures once their data has been exposed. Cocanower said he thought the 30-day window was sufficient to perform an investigation and deliver the notices as required to customers. However, that doesn’t mean it will be easy.
“I don’t see any way that a firm, especially a small- or mid-sized one, would have the resources to do this alone,” he said.
While the new regulations require written response policies and customer reporting, they do not mandate companies carry separate cyber insurance policies. Cocanower said proactively purchasing these policies separately from E&O can be an essential safeguard if a breach occurs.
“Those policies can generally bring significant resources to bear in a very short timeframe that can cover everything from technical mitigation, investigation, legal counsel and resources for customer notification … as well as an offer of credit monitoring services,” he said.
The SEC’s amendments will become effective 60 days after publication in the Federal Register. Larger entities will have 18 months after the date of publication to comply with the amendments, and smaller entities will have 24 months.