SEC Says RIAs and Brokers Who Suffer Data Breaches Will Have to Tell Their Clients
Investment advisors, broker-dealers, and fund companies will have to start preparing to comply with a rule requiring them to issue notices to clients following data breaches that could have compromised their personal information.
The Securities and Exchange Commission on Thursday announced amendments to Regulation S-P, the privacy rule the commission adopted in 2000 that governs how certain financial institutions must handle consumer data.
“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” SEC Chairman Gary Gensler says, calling the agency’s amendments “critical updates” to protect consumer privacy.
“The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify,” Gensler says. “That’s good for investors.”
The amendments will also require firms to develop incident-response plans detailing how they aim to detect, thwart, and respond to cyberattacks or data breaches. The original rule has a broader provision requiring written policies detailing firms’ protocols for safeguarding client information.
Advertisement – Scroll to Continue
Gensler addressed the amendments Thursday morning at an SEC conference, noting that the vote was 5-0 and seeming to wink at the partisan acrimony that has accompanied many of the SEC’s other rule-making initiatives during his tenure. “It’s nice to get those unanimous votes in sometimes,” he said.
Commissioner Hester Peirce, a fairly consistent opponent of Gensler’s policies, issued a statement expressing support for the amendments, “albeit with some reservations.”
“Protecting customers’ information and notifying them when it is compromised are important—even more important than when the commission adopted the original version of Regulation S-P in 2000,” Peirce says. “All of us have given our personal information to a business with a tinge of fear that our information is at risk because even companies that work hard to protect this information are under constant attack by cybercriminals.”
Advertisement – Scroll to Continue
Her principal concern with the updated rule is that the expanded notification requirements could be so broad in scope that they will deluge clients with breach notices, “making them so commonplace that people ignore them,” Peirce says.
The rule will require firms to notify clients within 30 days of a cyber event that has compromised their information. Those notices must include details about the specific type of information that has been put at risk and actions clients can take to safeguard their identity, such as changing passwords or engaging a credit-monitoring service.
“It allows the customer to then take some steps to protect themselves and their privacy and their financial well-being,” Gensler said at the conference.
Advertisement – Scroll to Continue
In addition to RIAs, broker-dealers, and fund companies, the amendments apply to transfer agents.
The SEC is giving covered entities some running room to comply with the amendments. Firms deemed “larger entities” will have 18 months to begin complying with the updated rule following its publication in the Federal Register. “Smaller entities” will have a two-year compliance period.
Registered investment advisors with $1.5 billion or more in assets under management will be considered larger entities, accounting for about 23% of the total number of SEC-registered firms, according to a commission estimate.
Write to advisor.editors@barrons.com
