Financial institutions not affiliated with banks are required to disclose any data security breaches, as mandated by the Federal Trade Commission.

The Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) have recently announced new regulations aimed at enhancing cybersecurity measures for companies that handle sensitive financial data.

Starting December 2022, the SEC will require publicly traded companies to report any cybersecurity incidents that are deemed "material" by the company. This rule, a new regulation in the cybersecurity field, is designed to ensure that companies disclose material cybersecurity information to benefit investors, companies, and the markets connecting them. According to SEC Chair Gary Gensler, whether a company loses a factory in a fire or millions of files in a cybersecurity incident, it may be material to investors.

Meanwhile, the FTC has amended the Safeguards Rule, a regulation mandated by Congress under the 1999 Gramm-Leach-Bliley Act. The amendment requires non-banking financial institutions like mortgage brokers, motor vehicle dealers, and payday lenders to report data breaches to the FTC. The breach notification requirement for these institutions will become effective 180 days after being published in the Federal Register.

The Safeguards Rule already requires financial institutions to have a comprehensive security program to keep customer information confidential. However, the new amendment aims to provide companies with additional incentive to safeguard consumers' data. Samuel Levine, director of the FTC's Bureau of Consumer Protection, stated that companies that are trusted with sensitive financial information need to be transparent if that information has been compromised.

One instance of a cyber attack involved Flagstar Bank, where unauthorized access to its customer information occurred in one of their file transfer applications. As a result, around 837,390 of its customers were impacted by the breach. The reporting must be done within 30 days of discovering a breach affecting at least 500 consumers. The notice to the FTC must include information about the breach, including the number of consumers affected and those at risk.

The FTC has also asked for comments on a proposed supplemental amendment to the Safeguards Rule in October 2021. This proposed amendment would require financial institutions to report certain data and security breaches. The new Federal Trade Commission cybersecurity incident reporting rule for non-banking financial institutions will come into effect starting September 19, 2025.

The SEC's rule and the FTC's amendment to the Safeguards Rule are part of a broader effort to strengthen cybersecurity standards and protect consumers' personal and financial information. As companies continue to digitise their operations, the importance of robust cybersecurity measures cannot be overstated.

Financial institutions not affiliated with banks are required to disclose any data security breaches, as mandated by the Federal Trade Commission.