In March, the SEC proposed several new rules covering cybersecurity and privacy requirements for BD’s, RIA’s and RIC’s in order to protect customer records and information. Regulation S-P Amendments require these entities to properly dispose of consumer report information in a way that protects against unauthorized access or use of this data.
Under the amendments, these entities must also have written policies and procedures to provide timely notification to affected persons whose data was or is likely to have been accessed without authorization.
Notice is required as soon as practicable but not later than 30 days after the institution becomes aware of the intrusion.
The Sec proposed rules require that the institutions create policies including measures to assess the nature and scope of any cyber intrusions, identify the information accessed and begin investigating the extent of the unauthorized use and notify affected individuals or companies.
The new regulation creates an obligation to report significant cybersecurity incidents to the SEC within 48 hours.
Jeff Newman is a whistleblower lawyer representing whistleblowers in the SEC’s whistleblower program, as well as the FINCEN whistleblower program and the CFTC program. He also represents individuals in whistleblower cases under the False Claims Act (FCA). He can be reached at Jeff@JeffNewmanLaw or at 617-823-3217. His website is www.JeffNewmanLaw.com
Public comment runs through June 5, 2023
