Brokers and asset managers would have to notify their customers of data breaches as part of a raft of cybersecurity-related rules the Securities and Exchange Commission is set to vote on Wednesday.
The customer-notification requirement would give firms no more than 30 days to alert individuals whose sensitive information was likely to have been accessed without authorization. The new rule would come alongside additional expansions to the SEC’s 24-year-old regulation governing financial firms’ protection of customer data, which SEC Chair Gary Gensler tied to soaring reports of identity theft.
“Firms would need to help customers understand how to protect themselves from harm that might result from the breach,” Mr. Gensler said in a statement.
Some states already require financial firms to notify customers of data breaches, but the SEC never adopted an earlier proposal to establish federal standards.
The SEC’s five commissioners are set to vote on the proposal, along with two other measures. If a majority supports the proposals, as expected, they will be released for public comment for at least 60 days before being finalized.
Another rule proposal on the SEC’s docket would require entities such as broker-dealers and stock exchanges to maintain written policies and procedures to address cybersecurity risks.
SEC commissioners are also set to consider a third proposal that aims to improve the resilience of market infrastructure such as trading platforms and clearing agencies to account for new cybersecurity risks and wider usage of cloud-service providers.