News

RISK MANAGEMENT—SEC to help firms get ready for Reg S-P compliance - 23 May 2025

Requirements to notify customers of data breaches, among other new rules, will kick in later this year.

Keith Cassidy, the SEC’s Acting Director of the Division of Examinations, described the staff’s plans to ensure firms are ready to comply with amendments to Regulation S-P. Broker-dealers, investment companies, advisers, and transfer agents will be required to comply with the amendments, which require them to implement an incident-response program, notify customers of security incidents, and oversee third-party providers, as soon as December of this year. Cassidy said firms should expect Exams staff to reach out before then to get a sense of the industry’s readiness and that an examination or enforcement initiative is likely after the compliance dates pass.

One year ago, the SEC amended Regulation S-P to require securities firms to notify customers of a data breach. The millennium-era rule already required firms to notify customers about the use of their information, but the amendments expanded notification and data-disposal requirements. They also require covered institutions (which newly include transfer agents) to implement an incident-response program as well as written policies and procedures to ensure third-party providers are providing required customer notices.

Larger entities will have to comply with the rule in December 2025, and smaller firms in June 2026, although Cassidy noted that there have been requests to extend these dates.

In his remarks at the FINRA Annual Conference, Cassidy detailed the SEC divisions’ plans to help covered firms get ready for compliance. The Division of Examinations, in coordination with Investment Management and Trading and Markets staff, will soon be hosting three outreach events that will discuss the staff’s approach and cover the basics of what to expect during an examination.

Cassidy said that as the compliance dates approach, the Division of Examinations will conduct examinations to help understand where firms are in the process of implementation. These inquiries are similar to the approach taken during the transition to T+1 settlement and are not directed at citing registrants for noncompliance, Cassidy said. However, once compliance is required, it could be included in any examination of a covered institution.

“With the Commission’s clear statement of the importance of this issue, registrants shouldn’t be surprised if Regulation S-P is the subject of a thematic initiative in the coming fiscal years.”

© 2025 CCH Incorporated and its affiliates and licensors. All rights reserved. 

This website uses cookies to ensure that we give you the best experience on our website. This cookie data is anonymous, read about how we use cookies and how you can control them in our Cookie Notice. Otherwise, we’ll assume you’re OK to continue. Find out more.

OK