Privacy, Cyber & Data Strategy Advisory | Countdown To Expanded Obligations Under Reg S-P

Executive Summary

The compliance deadline for the Securities and Exchange Commission's amended Regulation S-P is fast approaching, requiring financial institutions to meet new safeguards for customer data privacy and incident response. Our Privacy, Cyber & Data Strategy Team outlines how the rule broadens coverage, heightens service-provider oversight, and adds recordkeeping requirements consistent with today's cybersecurity standards.

• Larger financial institutions must comply with the amended Reg S-P by December 3, 2025
• New requirements strengthen incident response, customer notification, and service-provider oversight
• Expanded definitions provide broader protection for customer and consumer data

As the December 3, 2025 compliance date for the amendments to Regulation S-P nears (Reg S-P), registrants with the U.S. Securities and Exchange Commission (SEC) should prepare to meet the requirements of the agency's amended Reg S-P, which governs the privacy and safeguarding of consumer financial information and customer information.

Effective August 2, 2024, the amendments expanded both the protections for covered customer information and the institutions required to comply. Larger financial institutions have until December 3, 2025, with smaller entities to follow.

Reg S-P, as amended, applies to all broker-dealers, registered investment advisers, registered investment companies, funding portals, and transfer agents registered with the SEC or with federal banking regulators.

Key Provisions of the Amended Rule

Incident Response Program

Covered institutions must adopt and maintain an incident response program that includes written policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The program must outline procedures to assess and contain incidents and notify affected customers. This requirement is not overly prescriptive, allowing covered institutions to adopt programs appropriate to their specific operations.

Customer Notification

Each covered institution's incident response program must include procedures for notifying impacted customers. If an incident occurs, covered institutions must notify any individual whose "sensitive customer information" was, or is reasonably likely to have been, accessed or used without authorization, unless a reasonable investigation shows data has not been, and is not reasonably likely to be, used in a way that could cause substantial harm or inconvenience.

"Sensitive customer information" includes any component of customer information, alone or combined with other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an identified individual with the information such as Social Security numbers, driver's-license numbers, biometric identifiers, or account credentials.

Notice must be provided to impacted individuals as soon as practicable but no later than 30 days after discovery. The Attorney General may delay notification by 30 days by providing a written determination that notification poses a substantial risk to national security or public safety, or up to 60 days in limited circumstances. The amendments also include notice content requirements that largely align with state data breach reporting requirements.

Service Provider Oversight

Covered institutions must maintain and enforce written policies and procedures reasonably designed to require service provider oversight, including through due diligence and monitoring. This includes requiring service providers to take appropriate measures to protect against unauthorized access to or use of customer information and notify the covered institution within 72 hours of discovering a breach affecting customer information.

Recordkeeping

Recordkeeping obligations have expanded significantly. Covered institutions must document compliance with the Reg S-P safeguards and disposal rules and maintain records according to retention periods that vary by type of covered institution. More recent documents must be kept in easily accessible locations.

Expanded Protected Information

The amended reg expands the scope of information governed by Reg S-P to include both customer and consumer information. "Customer information" includes any record containing nonpublic personal information about a financial institution's customer, regardless of whether the covered institution possesses the information itself or the information is maintained on its behalf, including information received from other financial institutions about its customers.

In addition, secure disposal requirements now apply to both consumer and customer information.

Annual Privacy Notices

Covered institutions must provide annual privacy notices unless certain exemptions apply.

As the compliance date approaches, covered institutions should confirm compliance or identify areas where enhancements may be appropriate. Recommended steps include assessing and revising privacy and cybersecurity policies, conducting tabletop exercises to evaluate and refine incident response procedures, and ensuring that third-party service providers meet heightened oversight and reporting standards.

Taking these steps can strengthen compliance programs and reduce regulatory examination and enforcement risk ahead of the December 2025 deadline.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.