Amended Regulation S-P

January 7, 2026

What happened?

On May 16^th, 2024, the SEC adopted amendments to Regulation S-P requiring broker-dealers (including funding portals), investment companies, registered investment advisors, and transfer agents (“covered institutions”) to implement and maintain policies and procedures regarding an incident response program designed to detect, respond, and recover from unwarranted access or use of client information.

In 2000, the SEC initially adopted Regulation S-P, which:

1. Broadly requires broker-dealers, investment companies, and registered investment advisers to adopt and maintain policies and procedures to protect customer records and information (the “Safeguards Rule”);
2. Requires proper disposal of consumer report information in a way that limits the threat of unauthorized access to or use of such information (the “Disposal Rule”); and
3. Implemented privacy policy notice and opt-out provisions.

The final adopted amendments now provide a minimum for covered institutions to provide data breach notifications to affected individuals and expand upon the initial Regulation S-P.

Covered institutions must have each of the following in place to comply with the amendments:

1. Vendor Management Program: The amendments formally establish requirements for covered institutions to adopt policies and procedures regarding due diligence and monitoring of service providers. If you do not already have a vendor management program in place, consider starting there. Already, the SEC routinely requests vendor due diligence in cyber-related exam requests. Note: Service providers have a 72-hour notice requirement to covered institutions.
2. Incident Response Program: Under the adopted amendments, covered institutions will be required to maintain an incident response program. The program must be designed to detect, respond, and recover from unauthorized access or use of client information and prevent unauthorized use. Note: Even if you have an incident response plan in place, you will still need to update your program to comply with the adopted amendments.
3. Customer Notification Requirement: Covered institutions will be required to notify those whose sensitive information was, or is reasonably likely to have been, accessed or used. Note: Covered institutions have a 30-day notice requirement to customers.
4. Expansion of Safeguards and Disposal Rules (including written records): The amendments expand the safeguards and disposal rules to cover nonpublic personal information that a covered institution obtains about its own clients and nonpublic personal information received from another financial institution about clients of that institution. Covered institutions (except funding portals) must also maintain written records evidencing compliance with the safeguards and disposal rules.

More details are included in the SEC’s fact sheet on the amendments.

Compliance Deadlines

While much of what the previous administration proposed has been tossed or postponed, the SEC has made it clear that Amended Reg S-P is not only here to stay, but it’s also a key focus area. In the SEC Division of Examinations’ recently published 2026 Exam Priorities, Amended Reg S-P is identified as a risk area for market participants.

What does this mean for me?

The regulation requires specific policy updates, testing of the Incident Response Program, and extensive due diligence reviews of Service Providers. For more details on these new requirements, you may want to review the flash reports below from our sister company, Fairview. Fairview also provides full support for Amended Regulation S-P, including comprehensive vendor due diligence, the development and testing of policies and procedures, and more. If you have questions or need support, contact the Fairview Cyber team.

Additional Resources:

• Regulatory Preparedness 2025: Amended Reg S-P
• SEC on Amended Reg S-P: This is Happening
• Regulation S-P Enforcement Action and SEC Outreach on Amended Regulation S-P