SEC bats for data privacy, cyber security compliance

 

The SEC has written to the Philippine Stock Exchange (PSE) and the Philippine Dealing & Exchange Corp. (PDEx) to “remind all market participants of the requirements of data privacy and data protection regulations which may have an impact on the business processes of private entities, including capital market participants.”

These entities were required to submit compliance report within 30 days, based on a letter dated Oct. 5 issued by SEC director Vicente Graciano Felizmenio Jr.

Trading participants and other stakeholders of the PSE were likewise required to submit such compliance report.

This comes on the heels of reports that the U.S. SEC was now running after firms with deficient cybersecurity systems alongside the report of data breach at the online store of broadcasting giant ABS-CBN.

The Data Privacy Act of 2012 aims to protect personal data in the information and communication systems, both in the government and the private sector. It mandates entities or organizations processing personal data to establish polices and implement measures that guarantee the safety and security of personal data under their control or custody.

Personal information controllers or personal information processors that employ more than 250 persons are required to register with the National Privacy Commission.  Also required to register are those that have less than 250 employees but whose processing of information includes sensitive personal information of at least 1,000 individuals and likely to pose a risk to the rights and freedom of data subjects.

These entities are also expected to produce a privacy manual and institute a privacy management program as part of their corporate governance responsibilities.

Under the Securities Regulation Code, the SEC also noted that market participants were mandated to put in place a comprehensive information technology (IT) plan.  They are likewise required subject their IT, trading, business continuity, disaster recovery and risk management systems to a regular review and audit by an independent firm.

These requirements are designed to ensure that trading in the market are efficient, not interrupted and not susceptible to glitches.

The SEC added that it would likewise want to ensure protection of personal and other data against any accidental or unlawful destruction, alteration and disclosure, and against any other unlawful processing.  /muf

Read more...