SEC-regulated financial firms are now operating under the expanded Regulation S-P cybersecurity and privacy regime, with the first compliance deadline already in effect for larger entities and the next milestone approaching for smaller firms. Larger covered institutions were required to comply by December 3, 2025, and smaller covered institutions must comply by June 3, 2026, making the coming months a key implementation window for firms that have not yet transitioned their policies and controls.
The amendments apply across several SEC-regulated entities and are designed to standardize incident response expectations when customer information is accessed or reasonably likely to be accessed without authorization.
The updated rule requires covered institutions to adopt written incident response programs designed to detect, respond to, and recover from unauthorized access to customer information, including procedures to assess scope and contain incidents. It also establishes a customer notification standard requiring notice as soon as practicable and no later than 30 days after a firm becomes aware of unauthorized access or use (or a reasonable likelihood of it), subject to a reasonable investigation assessing whether the information is likely to be used in a way that causes substantial harm or inconvenience.
In addition, the amendments require service provider oversight—due diligence and monitoring tied to the firm’s ability to meet notification obligations—raising the bar on vendor management for firms that rely on third parties for customer data handling.
