In light of the recent global CrowdStrike outage, regulators are reminding the industry of their cybersecurity risk management compliance responsibilities.
The Securities and Exchange Commission has enacted Regulation S-P that encompasses cybersecurity and privacy regulations for “covered entities” (investment advisors, registered investment companies, securities broker-dealers, clearing agencies, securities-based swap participants, securities-based swap data repositories, securities swap dealers, transfer agents and the Municipal Securities Rulemaking Board).
Reg. S-P requires covered entities to enact written policies and procedures for incident response programs to address unauthorized access or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately.
Reg. S-P is effective today, August 2, 2024.
It now requires covered entities to provide immediate written electronic notice of a significant cybersecurity incident to the SEC “upon having a reasonable basis to conclude that the significant cybersecurity incident has occurred or is occurring”
Furthermore, said electronic notice must be filed with the SEC no later than 48 hours after the covered entity has a reasonable basis to conclude that the incident has occurred or is occurring. The incident must be filed via a Form SCIR with the SEC’s EDGAR portal.
Feel free to reach out to us for a confidential discussion of your cybersecurity risk management compliance or the state of your incident response preparedness.
The attached is the link to the regulation, as well as the SEC’s 2-page Fact Sheet on Cybersecurity Risk Management, as well as the final Regulation S-P rule making (186 pages). Click on the icon to open the pdf documents: