= accelerating global growth and advancing the future of regulatory compliance for financial firms. Learn More

Blog

SEC’s Regulation S-P Amendments: What Organizations Need to Know

Oct 10, 2025

The SEC’s May 2024 amendments to Regulation S-P modernize data privacy rules for financial institutions, establishing a federal baseline for data protection and breach notification. The changes require firms to implement formal incident response programs, notify affected clients within 30 days of a breach, oversee vendors with strict reporting standards, and maintain detailed records for five years. Large firms must comply by December 2025 and smaller ones by June 2026. These updates make safeguarding client data a clear regulatory obligation rather than a best practice.


By: Mederic Daigneault
VP, Regulatory Services
Comply

On May 15, 2024, the Securities and Exchange Commission (SEC) adopted significant amendments to Regulation S-P, the privacy rule that governs how financial institutions handle nonpublic personal information. These changes modernize the rule to address new risks arising from technology, data sharing, and cross-organizational data flows. 

These updates set a federal baseline for data protection and breach notification. The SEC held a webinar on September 25 entitled “Compliance Outreach on Regulation S-P” to outline the steps firms must take in order to comply with the new regulations. 

Who Must Comply 

  • Broker Dealers 
  • Investment Companies 
  • SEC Registered Investment Advisers 
  • Funding Portals 
  • Transfer Agents registered with the SEC or another appropriate regulatory agency 

Why This Matters 

Since Regulation S-P was first adopted in 2000, firms have vastly expanded how they collect, share, and store customer data. With these changes come higher risks of unauthorized access and data misuse. The amendments: 

  • Establish a federal minimum standard for data breach notifications. 
  • Require formalized incident response programs. 
  • Expand the definition and scope of customer information subject to safeguarding and disposal rules 

Key Definitions 

  • Customer Information: Any record containing nonpublic personal information about a client (whether paper, electronic, or otherwise) that the firm holds, or a service provider maintains on its behalf. 
  • Sensitive Customer Information: Data that, if compromised, could cause substantial harm or inconvenience. Examples include: 
  • Social Security numbers, driver’s license or passport numbers 
  • Tax IDs, biometric data, electronic identifiers, routing codes 
  • Usernames combined with passwords or security codes 
  • Information Systems: The firm’s electronic resources (both physical and virtual) used to collect, process, store, share, or manage company data. This includes the technology and infrastructure that support day-to-day operations and protect against risks such as cyberattacks, ransomware, or other security threats. 
  • Service Provider: Any individual or company that, while delivering services to the firm, is given access to client information — whether they store it, process it, or handle it in any way. 

New Core Requirements 

  1. Incident Response Programs
  • Firms must adopt written policies to detect, respond to, and recover from unauthorized access to customer information. 
  • Programs must: 
  • Assess the nature and scope of incidents 
  • Contain and control threats (e.g., isolating systems, rotating keys, changing passwords) 
  • Document findings and remediation steps 
  • For those incidents that involve loss of client funds, the firm will also maintain the following: 
  • The amount of actual client losses associated with the cyber incident;  
  • The amount of client losses reimbursed by the firm;  
  • Whether the firm had cybersecurity insurance coverage;  
  • Whether any insurance claims related to cyber events were filed; and  
  • The amount of cyber-related losses recovered pursuant to the firm’s cybersecurity insurance coverage. 
  1. Customer Notifications
  • Impacted clients must be notified as soon as possible, but no later than 30 days after discovery. 
  • Notices must include: 
  • General description of the incident 
  • What type of information was accessed 
  • Dates or date ranges of the incident 
  • Contact information for client inquiries 
  • Steps clients can take (fraud alerts, credit monitoring, reviewing statements) 
  • Government resources such as the FTC’s identity theft guidance 
  • Exception: No notice is required if the firm reasonably determines the data is not likely to be used in a way that causes harm 
  1. Service Provider Oversight
  • Firms must oversee vendors through due diligence and monitoring. 
  • Vendors must: 
  • Protect against unauthorized access 
  • Notify the firm of breaches within 72 hours 
  • Firms may contractually delegate notice delivery to vendors but retain ultimate responsibility. 
  1. Recordkeeping
  • Firms must maintain records of: 
  • All incidents and how they were addressed 
  • Notifications made to clients 
  • Compliance with the safeguards and disposal rules 
  • Retention period: Five years 

Compliance Timeline 

  • Large firms (over $1.5B AUM): Compliance by December 3, 2025 
  • Smaller firms (under $1.5B AUM): Compliance by June 3, 2026 

The amended Reg S-P makes it clear that protecting sensitive client data is no longer “best practice” – it is a regulatory obligation with strict timelines and oversight. Firms should begin mapping data flow, strengthening vendor contracts and testing incident response plans. Now is also a good time to review cyber insurance coverage. 

Firms will now be expected to conduct regular reviews of their systems to identify risks. These updates to Reg S-P set a new federal standard that applies across all firms, giving a more consistent protection to clients and their data, no matter where they do business. 

Table of Contents

Index