Nonbank financial institutions must report certain data breaches to the Federal Trade Commission (FTC) within 30 days of discovery under a new amendment to the agency’s Safeguards Rule.

The update to the rule, announced Friday, applies to cybersecurity incidents where the unencrypted information of at least 500 consumers is acquired without authorization. Covered entities must inform the FTC regarding the types of information accessed, the date range of the event, and the number of individuals affected.

The new requirement is scheduled to take effect 180 days after publication in the Federal Register.