Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
On 3 Dec. 2025, significant amendments to the U.S. Securities and Exchange Commission's Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information took effect for larger financial institutions, marking a substantial overhaul of the rule since its adoption in 2000 under the Gramm-Leach-Bliley Act.
Regulation S-P requires financial institutions to protect customer information by implementing privacy and security policies. The amendments effectively require covered financial firms to modernize and revamp these information protection standards considering the cybersecurity threat landscape and proliferation of major data breaches over the past two decades.
For example, the Regulation S-P amendments require investment advisers, including those to private funds with USD1.5 billion or more in assets under management, to develop, implement and maintain written policies and procedures addressing customer information safeguards, incident response, notification protocols, service provider oversight, disposal procedures and comprehensive recordkeeping requirements.
Understanding the scope, timeline and key changes
The 3 Dec. effective date applies specifically to "larger entities" as defined by the SEC, which includes SEC-registered investment advisers with USD1.5 billion or more in assets under management, investment companies with net assets of USD1 billion or more, and broker-dealers that are not classified as small entities under the Securities Exchange Act. Smaller covered institutions have until 3 June 2026 to achieve full compliance with the amended requirements.
The regulation applies broadly to what the SEC terms "covered institutions," which includes broker-dealers, funding portals, investment companies, registered investment advisers and transfer agents registered with the SEC or another appropriate regulatory agency. This expansion notably extends the safeguards rule and disposal rule to transfer agents for the first time, recognizing that these entities also maintain sensitive information about security holders.
The amendments introduce several fundamental changes that require careful attention from compliance officers and senior management at affected institutions.
Expanded definition of customer information
The amended Regulation S-P broadens the definition of "customer information" to include both nonpublic personal information of any customer of the covered institution, as well as customers of other financial institutions where such information has been provided to the covered institution. This represents a significant expansion from the previous framework, as firms are now responsible for protecting customer data regardless of the original client relationship. Whether information is maintained in paper, electronic or other formats, it falls within the scope of these enhanced protections.
The amendments also introduce the concept of "sensitive customer information," which represents a subset of customer information warranting special attention. This category includes data that, if compromised, could create a reasonably likely risk of substantial harm or inconvenience to the individual, such as Social Security numbers, government identification numbers, biometric records and account login credentials.
Mandatory incident response program
One of the most significant updates within the amendments involves the requirement for financial firms to develop and implement a formal incident response program. Specifically, the revised regulation requires covered institutions to adopt written policies and procedures establishing an incident response program to detect and respond to unauthorized access to customer information. This represents a shift from general safeguarding principles to specific, actionable protocols.
A compliant incident response program must include procedures to assess the nature and scope of any security incident, identify which customer information systems and types of data may have been compromised, and take appropriate steps to contain and control the incident to prevent further unauthorized access. The program must also be reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information, ensuring that firms can act swiftly and effectively when a data breach occurs.
Customer notification requirements
The amendments require covered institutions to provide notice to impacted customers as soon as reasonably practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has, or is reasonably likely to have, occurred.
Notifications are specifically required when sensitive customer information has been, or is reasonably likely to have been, accessed or used without authorization. The notices must be clear and conspicuous, provided through means designed to ensure each affected individual can reasonably be expected to receive them. Firms have flexibility in determining the appropriate notification method based on their customer base and the circumstances of the incident.
There are limited exceptions to the notification requirement. If, after reasonable investigation, a firm determines sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience to customers, notification may not be required. In addition, notification may be delayed if the U.S. attorney general determines it poses a substantial risk to national security or public safety, though such delays are time limited.
Service provider oversight
Recognizing that many financial institutions rely on third-party vendors to maintain and process customer information, the amendments impose new service provider oversight obligations. Firms must develop and maintain written policies and procedures reasonably designed to ensure that service providers supply written notification to the adviser of unauthorized access to customer information maintained by the service provider within 72 hours of becoming aware of such unauthorized access.
This 72-hour notification window is critical, as it ensures that covered institutions have sufficient time to conduct investigations and meet their own 30-day customer notification obligations. Firms should review and revise their vendor contracts to incorporate these notification requirements, establish clear communication protocols for security incidents and implement monitoring mechanisms to verify vendor compliance.
Enhanced recordkeeping obligations
Advisers must maintain written records documenting compliance with the amendments, including copies of relevant policies and procedures, incident reports, and notifications provided to affected individuals. The retention periods vary by institution type but generally align with existing recordkeeping requirements for each category of covered institution.
Specifically, firms must maintain records of written policies and procedures required under the safeguards rule — including incident response programs — as well as disposal rule procedures, service provider oversight arrangements, any detected unauthorized access incidents and responses, investigations and determinations regarding whether customer notification was required, and any written agreements with service providers regarding customer notification responsibilities.
Steps financial firms must take to comply
With the 3 Dec. deadline now in effect for larger entities, financial firms need to ensure they have completed the following compliance steps, while smaller entities should prioritize these actions before the 3 June 2026 deadline.
Conduct a comprehensive policy review. Covered financial firms should thoroughly review their existing cybersecurity and data protection policies to identify gaps relative to the amended requirements. This review should encompass current incident response protocols, customer notification procedures, service provider oversight mechanisms, data disposal practices and recordkeeping systems. Many firms that previously maintained general cybersecurity policies will need to develop more specific, detailed procedures that explicitly address the requirements of the amended regulation.
Develop and document incident response programs. If they do not already have them,covered institutions must create formal written incident response programs or significantly enhance existing programs to meet the new standards. These programs should clearly outline procedures for detecting potential security incidents, assessing the nature and scope of unauthorized access, determining which systems and data types have been affected, containing and controlling incidents to prevent further compromise, investigating incidents to determine notification requirements, and coordinating customer notifications within required timeframes.
Revise service provider contracts and oversight. Firms must systematically review contracts with all service providers that have access to customer information. Contracts should be revised to require 72-hour notification of security incidents involving customer data, establish clear definitions of what constitutes a reportable incident, specify the format and content of notifications the vendor must provide, and outline the service provider's responsibilities for customer notification if the covered institution delegates this function.
Beyond contractual revisions, financial firms should implement ongoing monitoring programs to assess vendor compliance with security standards, conduct periodic audits of service provider information security practices, maintain regular communication channels for security-related issues and require vendors to provide evidence of their own incident response capabilities.
Create customer notification templates and procedures. Firms should develop a notification template now so they can quickly notify customers if a breach occurs. These templates should be clear, conspicuous and designed to provide affected individuals with the information they need to respond appropriately. The templates should describe the nature of the incident, the types of sensitive information affected, the steps the firm has taken to address the incident, contact information for questions and concerns, and resources available to help affected individuals — such as credit monitoring services.
Enhance recordkeeping systems. Covered institutions must implement systems to maintain required records for the applicable retention periods. This includes: establishing centralized repositories for policies and procedures documentation; creating incident tracking systems that document detection, response and recovery activities; maintaining logs of customer notifications sent and methods used; preserving service provider agreements and related oversight documentation; and implementing secure storage with appropriate access controls and backup procedures.
Train staff and test systems. Compliance with the amended regulation requires more than documentation — it demands organizational readiness. Firms should provide training to relevant personnel on new policies and procedures, establish clear roles and responsibilities for incident response, conduct regular drills to test incident response capabilities, review and update procedures based on lessons learned from exercises and actual incidents, and ensure senior management understands their oversight responsibilities.
Looking ahead
The amendments to Regulation S-P acknowledge a need for financial firms to reassess how they collect, store and protect customer information in the modern financial services environment. By establishing rigorous standards for incident response, customer notification and service provider oversight, the SEC is attempting to establish a robust framework designed to enhance protection of sensitive customer information.
For covered institutions, compliance is not merely a matter of checking regulatory boxes. It requires a fundamental commitment to robust information security practices, transparent communication with affected individuals when incidents occur, and continuous monitoring and improvement of protective measures.
Patrick Austin, CIPP/E, CIPP/US, CIPM, FIP, PLS, is an attorney in the cybersecurity and data privacy practice group of Woods Rogers.
