New SEC rules will also require written policies and procedures.
Some financial institutions will disclose security breaches within 30 days, under new rules from the Securities and Exchange Commission.
Under the amendments, institutions must notify individuals whose personal information was compromised “as soon as practicable, but not later than 30 days” after learning of unauthorized network access or use of customer data, reports Arstechnica.
The new requirements will be binding on broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.
Notifications must detail the incident, what information was compromised, and how those affected can protect themselves.
Also, the amendments will require covered institutions to “develop, implement, and maintain written policies and procedures” that are “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.”
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
