May 22, 2025
On May 14, 2025, Keith Cassidy, the Acting Director of the SEC’s Division of Examinations (EXAMS), gave a speech on the history and latest amendments to Regulation S-P. Aptly titled “Regulation S-P – Back to the Future,” this speech contained details on the need for more protections for investor information and the expected approach EXAMS will take when examining advisers for compliance with the amended Regulation S-P as the compliance deadline arrives.
Changing Landscape for Customer Information
In 2000, Reg S-P established standards for covered institutions on the security and confidentiality of customer data, protections against anticipated threats, and protection against unauthorized access of customer data. Since then transactions have moved from phone calls and dial-up internet connections to smart phones and investment apps. Cyberattacks have ballooned, and Cassidy noted that Microsoft reports 600 million daily cyber attacks on its users and the FBI has seen over 880,000 complaints of cyber crime.
Key Amendments to Regulation S-P
Cassidy encouraged everyone to review the new enhancements to Reg S-P and chose three enhancements to highlight in his speech:
Examinations and SEC Outreach
Cassidy highlighted that a series of outreach events are coming from EXAMS and the Division of Investment Management to promote readiness and assist firms with preparing for the amended rule. These events will cover what to expect when interacting with an exam team during an examination where Reg S-P is in scope, among other topics. The SEC will publish additional details about these events in the near future.
Examinations involving Reg S-P were analogized to the rollout of the T+1 shortened settlement cycle. Like we saw with examiner approaches to T+1 compliance: expect inquiries about preparation in examinations before the compliance date to inform the SEC on readiness; look out for questions on written policies and procedure and implementation after the compliance date; and count on a Risk Alert of observations of any trends or risks relevant to registrants based on the information and observations gathered.
What Does This Mean for Me?
The biggest question remains unanswered – will the compliance deadline be moved? We’ve seen extensions of two compliance deadlines so far as the new administration took the reins (see Form SHO, Enhanced Form PF). Cassidy noted that they have received public requests to extend the compliance dates for the Reg S-P amendments. However, he gave no indication of any current plan to move the compliance dates. He stated that “[s]hould the Commission choose to extend the compliance date, the Division will adjust our timeline, as necessary, but our approach to promoting compliance with the new requirements will remain the same.”
Given that compliance will require internal training on detection, notification, and recovery, working with service providers on their procedures for detection and proper notification within the 72-hour deadline required, and developing written policies and procedures, we recommend taking advantage of all of the time remaining for preparation. All of these requirements are also RIA cyber security best practices.
Our Cyber team offers full support for Reg S-P, including the most recent amendments. If you have questions or need assistance, let us know.
