SEC Proposes New Cyber Rules for RIAs, BDs

The Securities and Exchange Commission on Wednesday proposed new cybersecurity rules for broker-dealers, investment advisors and asset managers that require them to notify individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm.

“Though Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches,” SEC Chair Gary Gensler said Wednesday during the open meeting.

“I think we should close this gap,” he continued. ”Thus, under our proposal, covered firms would be required to notify customers of breaches that might put their personal financial data at risk. I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves.”

Gensler said last May that the proposals were coming.

Wednesday’s proposal, if adopted, would update the rule’s requirements to address the expanded use of technology and corresponding risks since the Commission originally adopted Reg S-P in 2000, the agency said.

As the SEC explained, Reg S-P currently requires broker-dealers, investment companies and registered investment advisors to adopt written policies and procedures for the protection of customer records and information under the safeguards rule.