On September 25, 2025, the SEC held a webinar for large firms on Regulation S-P—the first of three compliance outreach events regarding its 2024 adoption of amendments to the regulation. The webinar did not announce any relief from the effective date of the amendments (currently December 3, 2025, for large firms, and June 3, 2026, for smaller entities). The webinar also provided guidance on the SEC’s expectations for Reg S-P compliance and confirmed the scope of Reg S-P to cover all customer information that a covered institution maintains.
Enclosed please find our key takeaways from today’s webinar:
- Scope of “Customer Information.” Exam Staff emphasized the expanded scope of “customer information” as amended, highlighting that it includes not only nonpublic information about the covered institution’s own customers, but also nonpublic information about customers of other financial institutions that have been provided to the covered institution.
- Applicability to Private Funds and Private Fund Advisers. With regard to private funds, while Exam Staff confirmed that private funds are not themselves subject to Reg S-P, they noted that registered investment advisers (RIAs)—including RIAs to private funds—are. Since the expanded scope of “customer information” includes information about customers of other financial institutions regardless of whether the RIA has its own “customer relationship” with those individuals, to the extent an RIA receives information about the “customer” of another financial institution, the RIA has responsibility for safeguarding that information under Reg S-P, regardless of the fact that the RIA itself has no “customer relationship” with those customers.
- Incident Response Programs. Exam Staff discussed the scope of the incident response program requirements, including addressing questions about the notification timeline.
- Notification Timelines. Exam Staff emphasized both the varying timelines and the varying triggers for those timelines; namely:
- For issuing customer notifications, covered institutions have at most 30 days from the time they become aware that unauthorized access to or use of customer information has occurred or is reasonably likely to occur. While the requirement is only to notify individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, the timeline is tied to becoming aware that any customer information may have been accessed or used without authorization.
- Reg S-P requires covered institutions to ensure that service providers provide notice to the covered institution no later than 72 hours after the service provider becomes aware a breach has occurred resulting in unauthorized access to a customer information system maintained by the service provider. That is, the service provider need not confirm that the covered institution’s customer information was accessed or used without authorization in order for the timeline to begin.
- Rebuttable Presumption of Notification. Exam Staff emphasized that Reg S-P imposes a rebuttable presumption to notify potentially impacted customers. While, based on investigation, it is possible that a covered institution may determine that notification is not needed, if the investigation is incomplete or inconclusive by the end of the notification timeline, the requirement is to notify.
- Notification Timelines. Exam Staff emphasized both the varying timelines and the varying triggers for those timelines; namely:
- Regulation S-P Examinations. Exam Staff noted that it is not yet certain when examinations into Reg S-P compliance will begin, but that the expectation is that firms will be complying by the dates set forth in the final rule.
- Exams Focus. Exam Staff noted that examinations into Reg S-P compliance will build on existing IT and cyber examination frameworks. Staff also discussed their approach to cybersecurity exams more broadly, which addressed concepts that are not expressly covered by Reg S-P. For example, Exam Staff suggested tethering incident response programs to NIST’s cybersecurity framework, which discusses identification, protection, detection, response, and recovery. They also noted that they would expect, for example, some sort of data mapping showing that covered institutions know where data resides and how it moves. They also referenced the importance of monitoring controls, like a security information and event management (SIEM) tool.
In addition, Exam Staff addressed the importance of risk assessment. While general cybersecurity risk assessments are not required under the text of Reg S-P, Exam Staff did discuss that it expects covered institutions to have a process to identify, assess, and mitigate cyber risk.
-
- Industry Frameworks. Exam Staff emphasized the important guidance industry frameworks, liker NIST’s cybersecurity framework, can provide. They noted that Exam Staff rely on frameworks like NIST to develop their review and examination. While covered institutions are not required to comply with any particular framework, Exam Staff suggested their utility as a guide.
- Preparing for Compliance. Exam Staff provided some thoughts on steps covered institutions can take ahead of the amendments’ effective date. These included:
- Engaging stakeholders within the organization and at service providers to assist with compliance efforts;
- Reviewing policies and procedures both at the covered institution and service providers to ensure compliance;
- Testing processes to ensure they are operating effectively;
- Educating and training officers and staff; and
- Ensuring service providers are aware of the regulatory changes and can comply, which in some cases could include an attestation rather than mere representations.
