The Securities and Exchange Commission (SEC) is putting a spotlight on security incident reporting. This summer, the SEC announced a rule change that requires certain financial institutions to notify individuals within 30 days of determining their personal information was compromised in a breach. Larger entities will have 18 months to comply, and enforcement will begin for smaller companies in two years.
This new rule change follows cybersecurity disclosure requirements for public companies that were adopted only a year prior -- and implemented on December 18, 2023 for larger companies and June 15, 2024 for smaller reporting companies. These changes are already having an impact on disclosures, even if not in the way the SEC intended.
More Info