SEC amends Regulation S-P: What financial firms need to know

On 3 Dec. 2025, significant amendments to the U.S. Securities and Exchange Commission's Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information took effect for larger financial institutions, marking a substantial overhaul of the rule since its adoption in 2000 under the Gramm-Leach-Bliley Act. 

Regulation S-P requires financial institutions to protect customer information by implementing privacy and security policies. The amendments effectively require covered financial firms to modernize and revamp these information protection standards considering the cybersecurity threat landscape and proliferation of major data breaches over the past two decades.

For example, the Regulation S-P amendments require investment advisers, including those to private funds with USD1.5 billion or more in assets under management, to develop, implement and maintain written policies and procedures addressing customer information safeguards, incident response, notification protocols, service provider oversight, disposal procedures and comprehensive recordkeeping requirements.

Understanding the scope, timeline and key changes

The 3 Dec. effective date applies specifically to "larger entities" as defined by the SEC, which includes SEC-registered investment advisers with USD1.5 billion or more in assets under management, investment companies with net assets of USD1 billion or more, and broker-dealers that are not classified as small entities under the Securities Exchange Act. Smaller covered institutions have until 3 June 2026 to achieve full compliance with the amended requirements.