ARTICLE
1 October 2025

SEC Compliance Outreach On Regulation S-P For Large Firms

KG
K&L Gates LLP

Contributor

K&L Gates LLP logo
At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices spanning across five continents, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, health care, energy, and more.
Explore Firm Details
On 25 September 2025, staff from the US Securities and Exchange Commission's (SEC) Divisions of Examinations, Investment Management, and Trading and Markets hosted a webinar...
United States Corporate/Commercial Law
Jessica D. Cohn and Yonathan Tewelde
Jessica D. Cohn’s articles from K&L Gates LLP are most popular:
  • within Corporate/Commercial Law topic(s)
  • with readers working within the Healthcare industries
K&L Gates LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring, Transport and Immigration topic(s)

On 25 September 2025, staff from the US Securities and Exchange Commission's (SEC) Divisions of Examinations, Investment Management, and Trading and Markets hosted a webinar discussing the amendments to Regulation S-P and what to expect when Regulation S-P is in scope of an exam. The amendments, among other things, require brokers, dealers, registered investment advisers, investment companies, and transfer agents (covered institutions) to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately.

Incident Response Program Framework

The staff indicated that, while there is no prescriptive requirement for a covered institution to follow the NIST cybersecurity framework or the ISO standard, it will leverage such guides to assess a covered institution.

Oversight of Service Providers

The staff noted that the ultimate responsibility to protect customer information lies with the covered institution. If a service provider has access to or stores customer information, covered institutions must conduct appropriate due diligence and ongoing monitoring of such service provider to ensure that it takes appropriate measures to protect against and, if necessary, respond to breaches.

Examination Focus

The staff of the Division of Examinations will focus exams based on the covered institution's network structure. The staff will seek to understand, among other information, how customer data is utilized, collected and managed within the network and moved throughout the organization and what controls are in place to protect the data. The staff expects to see an iterative risk assessment process and that the incident response program can achieve the goal of identifying a breach.

The compliance date for large firms is 3 December 2025. Our lawyers are available to advise covered institutions on compliance with the amendments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Jessica D. Cohn
Jessica D. Cohn
Photo of Yonathan Tewelde
Yonathan Tewelde
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More