SEC Releases Cybersecurity Final Rule

The Securities and Exchange Commission (SEC) has issued a final rule to address cybersecurity risks. According to an SEC fact sheet, the rule will require broker-dealers and certain other entities (collectively referred to as "covered institutions"), to establish, maintain, and enforce written policies and procedures designed to address cybersecurity risks.

The amendments require covered institutions to adopt an incident response program as part of their written policies and procedures under the safeguards rule. The amendments require an incident response program to be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. Additionally, covered institutions must notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed without authorization. The amendments require a covered institution to provide the notice as soon as practicable, but generally no later than 30 days after becoming aware that unauthorized access of customer information has occurred. The final rule also makes other changes to safeguards and disposal rules.

According to the fact sheet, larger entities will have 18 months after the date of publication in the Federal Register to comply with the amendments, and smaller entities will have 24 months after the date of publication in the Federal Register to comply.