Risk Identification
Book at 26-Minute Call
New SEC Cybersecurity Compliance Deadlines are Coming: What 6 Things Should You Should Do to Prepare?
The SEC's amended Regulation S-P, adopted last year, will soon enhance data privacy protections for broker-dealers, investment companies, registered investment advisors, and transfer agents. The updated rule requires these covered institutions to implement written policies and procedures for an incident response program designed to detect, respond to, and recover from unauthorized access to customer information. Although the compliance deadlines (December 3, 2025, for large firms, and June 3, 2026, for small firms) might seem far in the distance, it is essential to start acting now to ensure full compliance before the deadlines kick in. Here are five things you should do now to start preparing.
1. Adopt or Update Incident Response Program
for Customer Information
Covered Institutions must establish and maintain written policies and procedures to safeguard customer information through administrative, technical, and physical safeguards. These policies must ensure data security, protect against anticipated threats, and prevent unauthorized access that could harm consumers.
What is Customer Information?
Customer information refers to any nonpublic personal data held by a financial institution or its service providers.
Scope of Coverage
This includes records tied to individual customers of the institution or customers of other financial entities if the data has been shared.
Transfer Agents
For transfer agents, customer information specifically applies to securityholders of issuers they serve.
Customer information systems are the physical and virtual infrastructures financial institutions use to store, process, and manage customer data, ensuring security, accessibility, and regulatory compliance.

Note: "Customer Information" replaced "Customer records and information" in the updated regulation. The SEC acknowledged that customer records and information was not defined in the GLBA or in Regulation S-P. To align with the information protected by both rules, customer information is now utilized.
2. Develop Additional Measures
for Sensitive Customer Information
Institutions must also implement a response program to detect, contain, and recover from unauthorized access, including prompt notification to affected individuals if their sensitive customer information was compromised.
Sensitive customer information means customer information alone or with any other information, which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information. Other information includes:
  • Social Security number
  • State- or government-issued driver's license or identification number
  • Alien registration number
  • Passport number
  • Employer or taxpayer identification number
  • Biometric record
  • Unique electronic identification number, address, or routing code
  • Telecommunication identifying information or access device
  • Customer information identifying an individual or the individual's account, including their account number, name or online user name, in combination with authenticating information, or in combination with similar information that could be used to gain access to the customer's account such as an access code, a credit card expiration date, a partial Social Security number, a security code, a security question and answer identified with the individual or the individual's account, or the individual's date of birth, place of birth, or mother's maiden name.
3. Create Due Diligence Procedures
Those service providers handling customer data must also follow due diligence procedures, reporting breaches within 72 hours and assisting with customer notifications when required. Importantly, the 72-hour notice is triggered by unauthorized access to a customer information system maintained by the service provider, not the impact to sensitive customer information. Ultimately, the Covered Institution remains responsible for ensuring proper breach response and consumer notification.
Service Provider Definition
Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.
4. Be Ready to Notify Individuals
Covered Institutions must provide a clear and conspicuous notice to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorized.
01
Identify Affected Individuals
If the Covered Institution is unable to identify which specific individuals' sensitive customer information has been accessed or used without authorization, it must provide notice to all individuals whose sensitive customer information resides in the customer information system that was, or was reasonably likely to have been, accessed or used without authorization.
02
Timing Requirements
The timing of the notice must occur as soon as practicable but not later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.
03
Notice Content Requirements
Tip: The new rule contains specific notice content requirements that need to be included, including general details about the incident; the date or timeframe of the breach, if known; contact information for affected individuals to inquire further; a recommendation that the customer review account statements and immediately report any suspicious activity to the Covered Institution; a fraud alert explanation including how to place a fraud alert; a recommendation to review credit reports and how to obtain a free credit report; and information about the FTC and usa.gov.
What if there isn't any harm to the individual?
Notice is not required if the Covered Institution determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience to the individual after it conducts a reasonable investigation of the facts and circumstances of the incident.
The SEC declined to add a safe harbor for encryption into the regulation. However, the agency emphasizes that proper encryption can mitigate the risk of unauthorized access to customer information. If data is encrypted in a manner that renders it unreadable, Covered Institutions may not be required to notify affected individuals in the event of a breach. This aligns with the broader regulatory approach that considers encryption a key safeguard in protecting consumer financial data.
Currently, there is no specific reporting requirement to the SEC as it relates to the amendment.
5. Dispose of Unnecessary Consumer and Customer Records and Maintain Policies and Procedures
Dispose
Covered Institutions, excluding notice-registered broker-dealers, must take reasonable measures to ensure secure disposal of consumer and customer information to prevent unauthorized access. They are required to implement written policies and procedures that outline proper disposal practices. However, these requirements do not override other laws related to record retention or destruction, nor do they impose additional obligations beyond existing legal standards.
Maintain
Covered Institutions must maintain written policies and procedures related to data security, incident response, and breach notification. They must also document unauthorized access incidents, response actions, and notification decisions, including any delays authorized by the US Attorney General. Additionally, records of contracts with service providers and procedures for proper data disposal must be kept.
The below chart outlines the retention periods. The takeaway is that the SEC wants Covered Institutions to periodically reassess the effectiveness of their safeguarding and disposal programs.
Record Retention Requirements by Institution Type
Special Note: Which Category Do You Fall Into?
Small Entities
The amendments will likely increase operational costs for small Covered Institutions. Developing and maintaining the required written policies and procedures, implementing incident response programs, and conducting periodic risk assessments all require financial resources. Small Covered Institutions operating on tight margins may find these additional costs particularly burdensome.
Larger Firms
Larger firms must comply within 18 months (December 3, 2025), while smaller firms have 24 months (June 3, 2026) after the rule's publication.