Skip to main content
close search
site logo
Dive Brief

SEC requires financial firms to disclose data breaches within 30 days

The regulatory agency’s rule change comes less than a year after it required publicly traded companies to disclose material security incidents within four business days.

Published May 20, 2024
Matt Kapko's headshot
Senior Reporter
The U.S. Securities and Exchange Commission seal hangs on the facade of its building.
The U.S. Securities and Exchange Commission seal hangs on the facade of its building September 18, 2008 in Washington, DC. The SEC last week adopted a rule change requiring financial institutions to notify individuals impacted by data breaches within 30 days. Chip Somodevilla via Getty Images

Dive Brief:

  • The Securities and Exchange Commission will soon require certain financial institutions to notify individuals within 30 days of determining their personal information was compromised in a breach.
  • “Over the last 24 years, the nature, scale and impact of data breaches has transformed substantially,” SEC Chair Gary Gensler said Thursday in a statement. “The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
  • The adopted amendments to Regulation S-P, which apply to broker-dealers, funding portals, investment companies, registered investment advisers and transfer agents, also requires covered entities to develop and implement formal policies and procedures for incident response.

Dive Insight:

Notices to customers impacted by breaches must include details about the incident, the compromised data and how people can help protect themselves, according to the SEC.

The data breach disclosure rule for some financial institutions comes less than a year after the SEC adopted rules requiring publicly traded companies to disclose security incidents within four business days of determining their materiality.

Since those rules took effect, multiple large enterprises have disclosed security incidents, including Microsoft, First American Financial, Hewlett Packard Enterprise, loanDepot, and UnitedHealth Group.

The regulations are part of a government-wide push to increase the pace of data breach disclosures and promptly alert individuals to potential exposure. The Federal Trade Commission amended rules last week to require nonbanking financial institutions to notify the agency of a security breach impacting at least 500 customers’ data within 30 days.

The SEC rule change will take effect 60 days after the amendment is published in the Federal Register. Larger entities will have 18 months to comply and enforcement will begin for smaller companies in two years.

Filed Under: Policy & Regulation

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Policy & Regulation
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell