Blue spikes

As the threat of cybersecurity attacks and the prospect of identity theft continue to grow, the U.S. Securities and Exchange Commission (SEC) is adopting new rules that expand the obligations of financial firms to warn investors about privacy breaches.

The SEC voted unanimously on Thursday to adopt changes that aim to beef up the rules — introduced in 2000 — that govern the treatment of investors’ personal information by certain financial institutions.

Specifically, the amendments update the requirements for broker-dealers, investment companies, registered investment advisers and transfer agents to develop policies and procedures for detecting, responding to, and recovering from data privacy breaches, including a requirement for firms to warn customers whose personal information has likely been exposed in a breach.

“Over the last 24 years, the nature, scale and impact of data breaches has transformed substantially,” said SEC chair Gary Gensler in a release. The amendments “will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data.”

“The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify,” Gensler said. “That’s good for investors.”

The rule changes will take effect 60 days after they’re published in the Federal Register.

Larger firms will then have 18 months to comply with the requirements, while smaller firms will get 24 months to comply.