Over two decades ago, the Securities and Exchange Commission (SEC) adopted Regulation S-P to require broker-dealers, registered funds, and investment advisers to adopt written policies and procedures covering safeguards that protect customer records and information. The cyber landscape was markedly different in the year 2000 when the SEC made its foray into information security. The world had only recently emerged from Y2K panic, in which many people, including corporate and government leaders, feared the internet would crash on New Year’s Eve and possibly cripple modern civilization. While the move toward digital banking had begun, only 43% of Americans were online—just 17% of those internet users had ever engaged in any kind of online banking. And that year, the first truly global computer virus—a worm called ILOVEYOU—infected millions of systems and revealed to a largely cyber-indifferent public the dangers posed by online threat actors.

Since 2000, technological advances have transformed how customers interact with financial institutions and how such firms store, process and protect personal information. The proliferation of large-scale hacks and data breaches throughout this time—Heartland Payment Systems, Sony, the Office of Personnel Management, Target, Neiman Marcus, Yahoo!, Equifax, Home Depot, even the SEC—simultaneously demonstrated the difficulty of data protection given the ever-evolving nature of cybercrime. Despite these developments, the SEC has failed to update Regulation S-P, or promulgate additional binding cybersecurity rules, until now.

Deluge of Proposed Cybersecurity Rules Following Decades of Inertia