Under the proposal, the covered firms would have to adopt written policies and procedures to address unauthorized access to or use of customer information. In the event of a confirmed or likely breach involving a customer's information, firms would have no more than 30 days to inform the affected customer.
Currently under Regulation S-P, covered firms have no requirement to notify customers about breaches, SEC Chairman Gary Gensler said at Wednesday's meeting. "I think we should close this gap," he added. "Thus, under our proposal, covered firms would be required to notify customers of breaches that might put their personal financial data at risk. I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves."
Gail Bernstein, general counsel at the Investment Adviser Association, in a statement welcomed the Regulation S-P proposal. However, she added that the IAA expects to have "questions around the scope of how customer information is defined in the proposal, the duplicative and potentially inconsistent obligations imposed on advisers by the proposal in relation to other similar proposed rules, and the implications of proposed timeframes."
Separately, in a 3-2 vote with the commission's two Republicans dissenting, the SEC issued a proposal to require exchanges, broker-dealers and other market entities to establish, maintain and enforce written policies and procedures that are "reasonably designed to address their cybersecurity risks," according to a fact sheet.
And lastly, in a 3-2 vote with the two Republicans again dissenting, the commission proposed amendments to expand the scope of Regulation Systems Compliance and Integrity, or Reg SCI, which was initially adopted in 2014.
Self-regulatory organizations, like exchanges and registered clearing agencies are already subject to Reg SCI, but the amendments proposed Wednesday would expand the rule's scope to include registered security-based swap data repositories and certain large broker-dealers.
The Reg SCI proposal would also require covered entities to have additional policies and procedures that include a program for the inventory, classification and life cycle management program for SCI systems and indirect SCI systems and a program to manage and oversee third-party providers, including cloud service providers, that provide or support SCI or indirect SCI systems.
Each of the proposals approved Wednesday will have 60-day comment periods upon publication in the Federal Register.
Under Mr. Gensler last year, the SEC unveiled other key cybersecurity-related rule proposals. And on Wednesday the agency also reopened the comment period for 60 days upon publication in the Federal Register for a proposal it approved in February 2022 to require investment advisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm clients and investors.