Amended Regulation S-P is the one rule whose compliance deadline was not moved by the new administration. The SEC reinforced their focus on this new rule during a series of webinars on the new requirements. Additionally, the compliance deadline has passed for larger entities (Dec. 3, 2025, for those with $1.5B or more in AUM), giving us insight into the Division of Examination’s approach to Amended Regulation S-P exams and the SEC’s overall expectations for covered institutions.
Whether you are a larger entity that wants to ensure your program meets these new requirements, or a smaller entity (less than $1.5B AUM) that wants to make sure you are prepared to comply, reviewing the below can help you navigate these common Amended Regulation S-P compliance challenges.
What it is: Under Amended Regulation S-P, covered institutions must ensure that service providers provide notice within 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.
Why it’s challenging: Service providers unfamiliar with or unsympathetic to the requirements of covered institutions might make no effort to help a covered institution meet this requirement. They may not be unwilling to amend their contract to provide notice within the 72-hour period, so covered institutions be able to adapt in such circumstances.
Recommendation: The SEC has confirmed that including a 72-hour notice provision in a service provider’s agreement is not the only way to comply with this requirement. Confirmation could be provided via attestation, in an email, through the service provider’s own policies, or through a documented due diligence questionnaire. We have also been pleasantly surprised to see that many larger, well-known vendors that are commonly used in the industry are providing confirmation of their intent to provide notice within 72 hours.
What it is: Private funds themselves are excluded from Amended Regulation S-P. However, managers of private funds that are registered investment advisers are in scope because registered investment advisers are covered institutions.
Why it’s challenging: Advisers to private funds may fail to prepare if they are unaware of their obligations. Firms must determine if they need to comply with Amended Regulation S-P, and if so, to what extent customer information of any covered institution is shared with them.
Recommendation: Information of the investors in your private funds, such as individuals that are limited partners, is within the scope of Amended Regulation S-P. Fully preparing for the requirements, including an Incident Response Plan, customer notification of breaches, Vendor Management, ensuring 72-hour notification, and the disposal and safeguarding of records, is necessary when private fund managers touch customer information.
What it is: Covered institutions are required to maintain policies and procedures regarding Incident Response and Vendor Management. The policies must be tailored to Amended Regulation S-P, so while similar policies may already be in place, updates are needed to reflect the regulation’s language and definitions used therein.
Why it’s challenging: “Incident response” has been used as a synonym for business continuity and disaster recovery prior to Amended Regulation S-P. Existing Incident Response Plans and other policies and procedures, and vendor due diligence policies aimed at prior rules may give advisers a false sense of security.
Recommendation: Written policies and procedures must be updated for Amended Regulation S-P. Any pre-existing policies and procedures regarding unauthorized use or access to non-public information or management of vendors must be reviewed to ensure they align with the amendments and revised as necessary.
What it is: Customer information is any record containing non-public personal information about a customer that is handled or maintained by a financial institution. This includes customers of the financial institution and also customers of any other financial institution. Sensitive information is any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.
Why it’s challenging: Customer information is a broader category. While notification requirements only apply to sensitive information, incident response applies to customer information. This means the monitoring and detection, investigation documentation and determination of a breach, as well as the proper safeguarding and disposal requirements, all apply to a larger amount of information than advisers may realize.
Recommendation: Map your data to understand where customer information and sensitive information are located.
What it is: Identifying how data flows through your systems and where you encounter customer information of your customers or the customers of other financial institutions with which you interact.
Why it’s challenging: This relies not just on compliance personnel but also on knowledgeable IT professionals and honest input from employees about the systems in use and the information encountered. With evolving business lines tools and technology, this map is likely to change over time, creating the need for ongoing monitoring.
Recommendation: Take the time to map your data and identify risk areas. The SEC indicated that examiners will likely request a data map or similar responses to show a firm has knowledge of the flow of data and locations of customer information in the firm’s systems.
What it is: Amended Regulation S-P was accompanied by the addition of six new sub-parts to the Books and Records Rule.
Why it’s challenging: These recordkeeping requirements range from written policies and procedures to documentation of investigations and determinations of whether customer notification is needed for a given incident. The challenge is that events requiring notification and non-events where a firm determined no notification is needed must both be documented and ready to produce when asked by SEC examiners.
Recommendation: In addition to policies and procedures, be sure to train personnel on the creation of these new records. Implement your policies and procedures to capture these records, and test this activity to make sure your compliance program is adequate and effective.
What it is: Working with IT providers to adequately prepare for Amended Regulation S-P.
Why it’s challenging: IT providers may have an incomplete understanding of “customer information” and the nuances of Amended Regulation S-P. In practice, many are treating incident response through the lens of general data security, rather than aligning incident response to the specifics of the new rule.
Recommendation: IT providers are excellent at understanding data flow and protecting information. However, most will need guidance in meeting the additional requirements unique to covered institutions under Amended Regulation S-P. Verify that promised monitoring, reporting, and detection is taking place and is sufficient for your firm to meet its requirements under Amended Regulation S-P.
Start Now
If you are a large entity and are not currently in compliance with Amended Regulation S-P, do so now. The SEC has made it clear that Amended Regulation S-P is a priority and will be a focus area in examinations. If you are a small entity, there is still some time before June 3, 2026, but you would be wise to get started sooner rather than later to fully implement all of the needed changes to your compliance program. Our Cyber team offers full-service support for all aspects of Amended Regulation S-P. If you need help or are interested in learning more, let us know.
