Published on May 20th, 2025 |

Adopted Amendments to Reg S-P

SEC Releases

Introduction

The Acting Director, Division of Examinations, Keith Cassidy, spoke last week about the approach the Division takes regarding the adopted amendments to Reg S-P.

The amendments were adopted to ensure the security of customer information, as the threats to cybersecurity have grown exponentially since 2000.

Keith begins by highlighting how Microsoft reports 600 million cyberattacks on a daily basis; the FBI reported in 2023 that over $12.5 billion in losses had occurred due to cybersecurity attacks.

Key Enhancements

Key Enhancements

  1. Incidence Response Programs must be written into policies and procedures and be reasonably designed to:
    • Detect, respond to, and recover from unauthorized access.
    • Assess the nature and scope of cybersecurity incidents.
    • Explain the firm’s process to contain and control incidents, while preventing future unauthorized access.
  2. Customer notification must be prompt and accurate:
    • Customers whose information was accessed, or may have been accessed, must be promptly notified.
    • Notification must be as soon as practical, but no later than 30 days after the firm becomes aware of the incident.
  3. Vendor Due Diligence
    • Firms must have policies and procedures that provide proper oversight of third-party service providers.
    • Oversight includes ensuring the vendor’s cybersecurity policies are compliant with Reg S-P.
    • Ultimate obligation to comply with Reg S-P falls on the covered institution, not on the outsourced party.

The Division's Next Steps

The Division’s Next Steps

  1. Three tailored outreach events will be hosted to promote readiness and assist firms in preparing their programs for the new amendments.
  2. Examiners are likely to inquire about firm preparations to comply with the Rule before the compliance date, with the goal of understanding industry readiness (instead of citing registrants for non-compliance), and may use that data to produce Risk Alerts or other publications to assist the industry with compliance.
  3. While an extension of the compliance date has been requested by the industry, firms should understand the Commission’s clear commitment to the importance of this issue.
  4. Firms should expect this regulation to be included as part of any examination that occurs after the compliance date, along with possible sweeps or other “thematic initiative[s] over the coming fiscal years”.

Vigilant's Conclusion

Vigilant’s Conclusion

As a reminder, the compliance date for large entities (Investment Companies with combined assets of $1 billion, RIAs with $1.5 billion in AUM, and Broker Dealers/Transfer Agents not considered small entities by the Securities Exchange Act) is December 3rd, 2025. For small entities (everyone else), the compliance date is June 3rd, 2026.

Firms should start to plan now as a gap analysis and risk assessment can highlight any deficiencies in one’s current policies and procedures. It is vital that Firms document the steps they are taking to reach compliance, and it would be prudent to utilize experienced compliance professionals to make this process as efficient and cost-effective as possible.

Vigilant brings over 500 years of combined compliance experience to the table. The deep insight provided can help your compliance department quickly adapt to the requirements, allowing your resources to focus on business goals while avoiding costly compliance mistakes.

Reach out to us today with any questions you may have.

Contact Us