SEC Cybersecurity Compliance: Update for 2025 and 2026

Which entities are required to comply with amended Regulation S-P?

Amended Regulation S-P applies to “brokers and dealers, funding portals, investment companies, investment advisers registered with the Commission, and transfer agents registered with the Commission to another appropriate regulatory agency” (SEC’s Compliance Guide for Small Entities).

How does the SEC define large and small organizations for compliance with Regulation S-P?

The SEC defines these sizes based on an organization’s entity type and the total value of the assets they either owned or managed as of the end of the most recent fiscal year. Here are the definitions that the SEC uses.

Large entities

• SEC-registered investment advisers with $1.5B+ in assets under management.
• Investment companies with $1B+ in net assets, aggregated with related investment companies.
• All broker-dealers not classified as small entities under the Securities Exchange Act.
• All transfer agents not classified as small entities under the Securities Exchange Act.

Small entities

• Any covered institution that does not fit the above criteria.

What constitutes a “breach” that triggers notification under the amended regulation?

SEC amended Regulation S-P defines a breach as any unauthorized access to or use of sensitive customer information in a scenario in which such access or use is likely to have occurred. Note that customer information includes PII (personally identifiable information) that represents a significant risk of harm or inconvenience if exposed to misuse. Typical PII in this scenario includes social security numbers, driver’s license numbers, and bank account information.

When a breach occurs, covered institutions are required to notify individuals as soon as possible, but no later than 30 days after the institution learns of the potential breach.

What should covered institutions do to comply with SEC Regulation S-P?

To comply with SEC Regulation S-P, covered institutions must implement several changes to their practices in cybersecurity and data security. Here are the requirements.

1. Implement an incident response program

Amended Regulation S-P requires covered institutions to adopt written policies and procedures that create an incident response program. The program must be “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information” (SEC Enhanced Regulation S-P Fact Sheet). The program must also include steps to:

• Assess the nature and scope of an incident
• Contain the breach
• Prevent further unauthorized access

2. Notify customers of a data breach

In the event of a data breach, amended Regulation S-P requires covered institutions to notify affected individuals within 30 days of discovering the breach. Institutions must provide details about the incident, the data that was affected, and specific actions individuals can take to protect themselves.

3. Adjust policies and procedures to comply with a new, expanded scope for the term “Customer Information”

Amended Regulation S-P now defines “customer information” to include any record containing nonpublic, personal information related to a customer. The definition applies to records in any form, whether paper, electronic, or some other type of stored communication. The definition also covers this information regardless of its source, thereby including information collected by the institution as well as information received from another financial institution.