SEC Gets Ready to Scrutinize Compliance with Data Protection Rule
The Securities and Exchange Commission on Thursday sought to remind the industry about looming updates to a decades-old regulation despite recent deadline extensions to other rules.
The rule, which would requires firms to inform clients within 30 days if their information was compromised in a cyberattack or other data breach, will be a focus on examinations, SEC staff said during a webinar the agency hosted Thursday.
Beginning Dec. 3, large firms managing $1.5 billion or more in assets will have to adopt written policies and procedures as part of their incident response programs to address unauthorized access to or the use of customer information, according to the updated rule. The compliance date for smaller firms kicks in on June 3, 2026.
Reg S-P, as it’s known, was first put in place 25 years ago but had previously only required firms to notify clients about how their personal data is being used.
While firms can amend their contracts to include the new reporting timelines, a main concern among firms is how they can ensure that their service providers are aware of the obligation to notify them within 72 hours, Lori Weston, head of compliance at STP Investment Services, said in an email.
“The SEC suggested obtaining certifications from service providers, but this may be viewed as insufficient assurance,” she said.
Read more from Lori Weston and other experts in FundFire.
