Regulatory Update: SEC Enhances Regulation S-P to Strengthen Data Privacy and Cybersecurity

In a move aimed at bolstering data privacy and cybersecurity across the financial sector, the U.S. Securities and Exchange Commission (SEC) has adopted significant amendments to Regulation S-P, modernizing its safeguards for protecting customers’ nonpublic personal information.

Originally enacted in 2000 under the Gramm-Leach-Bliley Act, Regulation S-P established foundational standards for safeguarding customer records. However, with today’s threat landscape dramatically different than it was two decades ago, the SEC has introduced critical updates to address the rising complexity of data security and cyber risk.

Speaking at a regulatory outreach event, Keith Cassidy, Acting Director of the SEC’s Division of Examinations, emphasized the importance of these changes:

“Strong controls and safeguards benefit not only customers and investors, but also our financial institutions and markets generally. As the use of digital platforms grows, so must our approach to data protection.”

Key Enhancements to Regulation S-P

The amendments focus on improving how financial institutions prevent, detect, and respond to breaches of customer data. Three major areas of focus include:

Incident Response Programs

Firms must implement written policies and procedures designed to detect, respond to, and recover from unauthorized access or use of customer information. This includes clearly defined protocols to assess the scope of incidents and contain further risks.

Mandatory Customer Notification

Covered institutions are now required to notify affected customers within 30 days of discovering a breach involving their sensitive personal information—ensuring transparency and timely awareness for impacted individuals.

Oversight of Third-Party Vendors

New rules mandate that financial firms establish and enforce oversight procedures for third-party service providers. Institutions remain ultimately accountable for compliance, even when operations are outsourced.

Looking Ahead: Enforcement and Industry Readiness

To support implementation, the Division of Examinations will conduct a series of outreach sessions in coordination with other SEC divisions. These events will provide practical guidance on compliance expectations and readiness assessments in the lead-up to enforcement.

Registrants should expect examiners to inquire about their preparedness before compliance deadlines. While early interactions will focus on readiness—not penalties—post-deadline enforcement will be fully active. Regulation S-P may also be prioritized in future SEC thematic reviews.

Conclusion

As financial services continue their digital transformation, the SEC’s modernization of Regulation S-P sends a clear message: data privacy and investor protection must evolve in parallel. Institutions are encouraged to begin their compliance efforts now, ensuring that new safeguards are not only in place—but effective.

To find out more details please visit : www.sec.gov