(Reuters) – Wall Street’s top regulator on Thursday said it had updated rules to ensure investment companies and others work to detect and respond to hackers’ theft of customer data.
The changes, approved unanimously by the five-member U.S. Securities and Exchange Commission, apply to rules first adopted in 2000.
“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” SEC Chair Gary Gensler said in a statement, adding that this required regulations to keep pace.
Under the changes announced Thursday, broker-dealers, investment companies, registered investment advisers and others will be required to maintain incident response programs to detect, respond to and recover from cyber-theft of customers’ personal data as well as notify individuals whose information may have been accessed without authorization, according to the SEC.
Companies affected by the rules will have to come into compliance 18 months to two years from the date the changes appear in the Federal Register, according to the agency.
