December 16, 2025
What happened?
The SEC recently published settled charges against a dual-registrant for compliance failures under the prior version of Regulation S-P. From July 2019 to March 2024, the dual-registrant failed to maintain reasonably designed policies and procedures on cybersecurity, protecting customer information, and identity theft prevention. The registrant had over 100 branch offices during this time, and not all of them had adopted policies on cybersecurity or necessary controls like multi-factor authentication, incident response policies, or security awareness trainings.
This lack of preparation had a cost. Email accounts of 17 registered representatives and employees at 13 branch offices were accessed by unauthorized third parties who sent malicious phishing and credential-harvesting emails from the compromised accounts to approximately 8,500 individuals. This unauthorized activity resulted in a significant number of customer email account takeovers, the exposure of customer records and personally identifiable information to bad actors, and one instance of an unauthorized wire from a customer account.
The firm also failed to update its Identity Theft Prevention Program pursuant to Regulation S-ID during this period of escalating cybersecurity threats.
For these reasons, the firm was censured and charged $325,000 in civil penalties.
Additional SEC Outreach on Amended Reg S-P
The SEC also announced that it will hold the second of three planned compliance outreach seminars on Amended Regulation S-P (“Reg S-P”) on December 17, 2025. This second webinar will focus on the impact of the amended regulation on transfer agents. The first webinar was held before the government shutdown and focused on large firms. If you missed it, the long-awaited video recording has now been published by the SEC post-shutdown.
What does this mean for me?
It is nice to see that the SEC has gotten back to the Amended Regulation S-P webinars and shared the recording of the first webinar, as promised back in September. This is yet further evidence that this new requirement is and will remain a key focus area for the SEC.
The enforcement action is a reminder that firms have and will continue to have obligations under Regulation S-P and Regulation S-ID. Failure to implement newly adopted policies and procedures for amended Regulation S-P risk similar outcomes. It takes training, employee awareness, and ownership of safeguarding client information to avoid the threat of bad actors and save clients from a similar fate.
If you are not prepared to comply with Amended Regulation S-P, our team of SEC experts provides full support for all aspects of Amended Regulation S-P. Whether you are a large entity, managing over $1.5 billion, that just passed the December 3, 2025, compliance deadline for larger entities, or you are a smaller entity managing less than $1.5 billion and preparing for the June 3, 2026, compliance deadline, we recommend that you work carefully to strengthen your compliance program.
Amended Regulation S-P was one of the rulemakings name-checked in the SEC Division of Examinations 2026 Examination Priorities. The regulation requires specific policy and procedure updates, testing of the Incident Response Program, and extensive due diligence reviews of Service Providers. These items can be very time-consuming. If you have questions or need support, let us know.
