The SEC recently amended Regulation S-P. This significantly updates how covered financial institutions must approach data protection and incident response. These amendments are designed to modernize privacy protections and expand the scope of what constitutes required safeguards for customer information.
The amendments shift the focus from traditional policies. They move towards structured, comprehensive incident response programs. These programs integrate detection, containment, reporting, and recovery.
Expanded Incident Response Program Requirements
Under the amended Reg S-P, covered institutions must establish and maintain written incident response programs that are reasonably designed to:
- Assess the nature and scope of incidents involving unauthorized access to or use of customer information.
- Identify affected systems and data to determine risk and response needs.
- Contain and control incidents to prevent further unauthorized access or harm.
- Notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed without authorization.
Notifications must be delivered as soon as feasible. They must be sent no later than 30 days after an institution becomes aware of a qualifying incident. This notice must describe the breach, affected information, and steps the recipient can take to protect themselves.
Service Provider Oversight and Notification Expectations
The amended rule also requires institutions to oversee service providers that handle customer information. Policies must guarantee that service providers:
- Protect customer data against unauthorized access and misuse.
- Notify the institution within 72 hours after becoming aware of a security incident affecting a customer information system.
Institutions remain responsible for ensuring that notifications to affected customers are timely and compliant. This responsibility holds even if a service provider delivers them directly.
Compliance Dates and Scope Expansion
The compliance timeline depends on firm size:
- Larger entities (e.g., RIAs with AUM of $1.5 billion+) were required to comply by December 3, 2025.
- Smaller entities must comply by June 3, 2026.
Amendments also expand the range of covered institutions and information types. This broadens who must comply. It also dictates what data is subject to protection under Reg S-P.
Strategic Implications for Financial Firms
Firms must now hard-wire incident response roles and reporting protocols into compliance programs rather than relying on general safeguards policies. This includes:
- Defining clear incident response roles and responsibilities.
- Regular testing and updating of response procedures.
- Documenting compliance efforts and maintaining records.
The changes align federal requirements with evolving cybersecurity risk management practices and aim to provide a consistent approach to breach response across covered institutions.
 | Representing Advisors, Investors and Firms, Nationwide. |
Mark Astarita is a nationally recognized securities attorney, who represents investors, financial professionals and firms in securities litigation, arbitration and regulatory matters, including SEC and FINRA investigations and enforcement proceedings.
He is a partner in the national securities law firm Sallah Astarita & Cox, LLC, and the founder of The Securities Law Home Page - SECLaw.com, which was one of the first legal topic sites on the Internet. It went online in 1995 and is updated daily with news, commentary and securities law related links.
