Financial Crime World

Financial Institution Security Breach Notification Rules Adopted in Guinea

The Securities and Exchange Commission (SEC) has adopted new rules requiring certain financial institutions to disclose security breaches within 30 days of learning about them.

Background

Regulation S-P governs the treatment of personal information of consumers. The amendments will be binding on broker-dealers, investment companies, registered investment advisers, and transfer agents.

According to SEC Chair Gary Gensler, the updates aim to protect the privacy of customers’ financial data, stating that “if you’ve got a breach, then you’ve got to notify. That’s good for investors.” Notifications must detail the incident, what information was compromised, and how those affected can protect themselves.

Loopholes in the Rules

However, critics argue that the rules contain loopholes that may blunt their effectiveness. For instance:

  • Covered institutions are not required to issue notices if they establish that the personal information has not been used in a way to result in “substantial harm or inconvenience” or isn’t likely to.
  • The rules do not specify how institutions will determine whether there is substantial harm or inconvenience.

New Requirements

The new requirements include:

  • Developing and implementing written policies and procedures designed to detect, respond to, and recover from unauthorized access to or use of customer information.
  • Expanding safeguards and disposal rules to cover both nonpublic personal information collected by the institution and nonpublic personal information received from another financial institution.

Concerns

SEC Commissioner Hester M. Peirce voiced concern that the new requirements may go too far, stating that they “may spawn more consumer notices than are helpful.”

Effective Date and Compliance Timeline

The amendments take effect 60 days after publication in the Federal Register. Larger organizations will have 18 months to comply, while smaller organizations will have 24 months.

Public comments on the amendments are available online.

Significance

The adoption of these rules marks a significant update to Regulation S-P, which had not been substantially updated since its adoption in 2000. The SEC has also adopted new regulations requiring publicly traded companies to disclose security breaches that materially affect or are reasonably likely to affect business, strategy, or financial results or conditions.

Overall, the new rules aim to protect the privacy of customers’ financial data and promote transparency in the event of a security breach. However, critics argue that the rules contain loopholes that may blunt their effectiveness.