Financial institutions face approaching deadlines for compliance with the SEC’s amended Regulation S-P. Large organizations must comply by December 3, 2025, while small organizations have until June 3, 2025.
How can covered institutions comply with this regulation?
What are the requirements?
How does this regulation affect cybersecurity for financial institutions?
Here’s everything you need to know.
Key takeaways:
- The SEC’s amended Regulation S-P provides specific requirements for how covered institutions protect customer data.
- Large companies must comply by December 3, 2025, while small companies must comply by June 3, 2025.
- Covered institutions must implement several new measures, including an incident response plan and data breach notification policies, to comply with the amended Regulation S-P.
What is the SEC’s amended Regulation S-P?
The SEC’s amended Regulation S-P governs how financial institutions safeguard their customers’ data. It requires regulated organizations to provide written policies defining an incident response program covering the detection, response, and remediation of any incident leading to a breach of customer data.
These new requirements strengthen the protection of customer data without altering core privacy notice requirements. The regulation applies to all covered institutions, including broker-dealers, investment advisers, investment companies, transfer agents, and funding portals.
When does the SEC’s Regulation S-P go into effect?
The SEC’s amended Regulation S-P was finalized in May 2024, but it doesn’t go into effect until 2025 or 2026, depending on the size of the covered institution.
Here are the details of when the regulation goes into effect.
- Large companies must comply by December 3, 2025.
- Small companies must comply by June 3, 2026.
Which entities are required to comply with amended Regulation S-P?
Amended Regulation S-P applies to “brokers and dealers, funding portals, investment companies, investment advisers registered with the Commission, and transfer agents registered with the Commission to another appropriate regulatory agency” (SEC’s Compliance Guide for Small Entities).
How does the SEC define large and small organizations for compliance with Regulation S-P?
The SEC defines these sizes based on an organization’s entity type and the total value of the assets they either owned or managed as of the end of the most recent fiscal year. Here are the definitions that the SEC uses.
Large entities
- SEC-registered investment advisers with $1.5B+ in assets under management.
- Investment companies with $1B+ in net assets, aggregated with related investment companies.
- All broker-dealers not classified as small entities under the Securities Exchange Act.
- All transfer agents not classified as small entities under the Securities Exchange Act.
Small entities
- Any covered institution that does not fit the above criteria.
What constitutes a “breach” that triggers notification under the amended regulation?
SEC amended Regulation S-P defines a breach as any unauthorized access to or use of sensitive customer information in a scenario in which such access or use is likely to have occurred. Note that customer information includes PII (personally identifiable information) that represents a significant risk of harm or inconvenience if exposed to misuse. Typical PII in this scenario includes social security numbers, driver’s license numbers, and bank account information.
When a breach occurs, covered institutions are required to notify individuals as soon as possible, but no later than 30 days after the institution learns of the potential breach.
What should covered institutions do to comply with SEC Regulation S-P?
To comply with SEC Regulation S-P, covered institutions must implement several changes to their practices in cybersecurity and data security. Here are the requirements.
1. Implement an incident response program
Amended Regulation S-P requires covered institutions to adopt written policies and procedures that create an incident response program. The program must be “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information” (SEC Enhanced Regulation S-P Fact Sheet). The program must also include steps to:
- Assess the nature and scope of an incident
- Contain the breach
- Prevent further unauthorized access
2. Notify customers of a data breach
In the event of a data breach, amended Regulation S-P requires covered institutions to notify affected individuals within 30 days of discovering the breach. Institutions must provide details about the incident, the data that was affected, and specific actions individuals can take to protect themselves.
3. Adjust policies and procedures to comply with a new, expanded scope for the term “Customer Information”
Amended Regulation S-P now defines “customer information” to include any record containing nonpublic, personal information related to a customer. The definition applies to records in any form, whether paper, electronic, or some other type of stored communication. The definition also covers this information regardless of its source, thereby including information collected by the institution as well as information received from another financial institution.
4. Implement proper oversight of service providers
Covered institutions are now required to implement oversight measures governing their service providers. These measures must ensure that service providers notify them within 72 hours after learning of a data breach affecting customer information. Service providers must also maintain appropriate protections for customer data.
5. Implement proper disposal procedures for customer information
The amended regulation requires covered institutions to adopt written policies for the secure disposal of customer information. Covered institutions must also maintain documentation showing compliance with this stipulation.
6. Comply with specific conditions of exception if not reporting the annual privacy notice
A covered institution must meet two conditions to be exempted from the requirement to deliver an annual privacy notice. Those conditions are as follows:
- The organization must share nonpublic personal information only in ways that don’t require them to provide an opportunity for the customer to opt out.
- The organization must not have changed their policies and practices regarding the disclosure of nonpublic personal information since the most recent privacy notice given to the customer.
How can organizations implement these measures?
Institutions without internal cybersecurity teams typically engage a compliance partner to help with implementing and maintaining the required controls. This approach provides the additional bandwidth required to achieve compliance and maintain it over the long haul. It also prevents internal resources from being diverted away from their essential duties.
The key is to find a provider who checks several boxes:
- Deep expertise in SEC cybersecurity compliance
- 100% predictable monthly pricing with unlimited service consumption
A partner who checks both boxes ensures that your covered institution practices compliance without an unpredictable impact on your budget.
The takeaway: Achieve compliance with SEC Regulation S-P
The clock is ticking for both large and small organizations. SEC Regulation S-P goes into effect soon for both groups. If your team needs assistance in achieving and maintaining compliance, Corsica Technologies is here to help. We’ve collaborated with 1,000+ companies to achieve their strategic goals through technology. Contact us today, and let’s get started on your SEC compliance journey.
Ready to take the next step in your compliance journey?
Reach out to schedule a consultation with our compliance specialists.
