Financial institutions must reveal any data breaches experienced within a 30-day timeframe, according to SEC mandate.
The Securities and Exchange Commission (SEC) has announced new regulations aimed at improving transparency and protecting investors by requiring financial institutions to disclose material cybersecurity incidents within four business days. These new rules, part of a broader trend of increased focus on cybersecurity and data protection in the financial industry, will take effect 60 days after they are published in the Federal Register.
The amendments to Regulation S-P require covered entities to develop and implement formal policies and procedures for incident response in the event of a breach. This includes disclosing a material cybersecurity incident via Form 8-K within four business days of a materiality determination made “without unreasonable delay.”
The new rule expands the scope of covered institutions to include a broad range of financial institutions regulated by the SEC, such as broker-dealers, funding portals, investment companies, registered investment advisers, and transfer agents. Larger entities, those with over $1 billion in assets, must comply by December 3, 2025, while smaller companies have until June 3, 2026, to comply.
Key features of the new rule include the disclosure of a material cybersecurity incident, the reporting of details about the timing, nature, scope, and actual or anticipated impact of the incident, and new mandates around incident response policies, customer notification, service provider oversight, and recordkeeping. The regulations also include board accountability provisions requiring certification or explanation of cybersecurity expertise.
Failure to comply with the disclosure deadlines could result in penalties of up to $35 million per violation. These amendments took effect on August 2, 2024, but compliance deadlines are phased based on institution size, with the most stringent disclosure and procedural requirements fully enforced starting December 3, 2025, for larger entities.
These new regulations are part of a government-wide push to increase the pace of data breach disclosures and promptly alert individuals to potential exposure. In fact, just last week, the Federal Trade Commission amended rules to require nonbanking financial institutions to notify the agency of a security breach impacting at least 500 customers' data within 30 days.
As the nature, scale, and impact of data breaches have significantly changed over the past 24 years, the role of Chief Information Security Officers (CISOs) has become increasingly crucial in answering the question of whether a company is a potential target for data breaches. Corporate stakeholders are increasingly interested in understanding the risk associated with their technology stacks, with a particular focus on whether they are a potential target for breaches.
Multiple large enterprises, including Microsoft, First American Financial, Hewlett Packard Enterprise, loanDepot, and UnitedHealth Group, have disclosed security incidents since the SEC's rules took effect. The new regulations aim to provide investors with timely and accurate information about potential data breaches, allowing them to make informed decisions and take appropriate protective measures.
[1] SEC Press Release, SEC Adopts Amendments to Regulation S-P to Require Disclosure of Certain Cybersecurity Incidents (2023), available at https://www.sec.gov/news/press-releases/2023/pr2023-127 [2] Commission Interpretation Regarding Cybersecurity Risk Management, Strategy, Governance, and Accountability (2022), available at https://www.sec.gov/corpfin/cf-guidance/cybersecurity-interpretation [4] SEC Adopts Amendments to Modernize and Enhance Cybersecurity Risk Management for Investment Advisers (2022), available at https://www.sec.gov/rules/final/2022/ia-5820.htm [5] SEC Announces Withdrawal of Proposed Cybersecurity Rules (2025), available at https://www.sec.gov/news/press-releases/2025/pr2025-146
- The financial industry is now required to disclose material cybersecurity incidents within four business days due to new regulations from the Securities and Exchange Commission (SEC).
- These regulations aim to improve transparency and protect investors, extending to various institutions such as broker-dealers, investment companies, and transfer agents.
- Large entities, with over $1 billion in assets, need to comply by December 3, 2025, whereas smaller companies have until June 3, 2026.
- Key aspects of the new rules include disclosing a material cybersecurity incident, details about timing, nature, scope, impact, incident response policies, customer notification, service provider oversight, recordkeeping, and board accountability provisions.
- Failure to follow disclosure deadlines could lead to penalties of up to $35 million per violation, as part of a broader government push for increased data breach disclosures.
