Navigating the Amended Regulation S-P

Introduction

Regulation S-P (“Reg S-P”) was originally adopted in 2000 by the U.S Securities and Exchange Commission (“SEC”) to ensure that financial institutions implemented meaningful steps to protect the privacy and security of customer information.

As initially adopted,  Reg S-P required broker-dealers, investment companies, registered investment advisers, and certain other regulated entities (“Covered Institutions”) to create  and maintain a comprehensive privacy program, which included having written policies and procedures and internal controls designed to safeguard  non-public customer data, and delivering a written privacy notice to customers initially upon engagement and annually thereafter.

Reg S-P has since been amended a few times, with the most recent being issued in May 2024.[1] As part of this newest amendment, Covered Institutions must: (i) implement a formal incident response plan , (ii) notify customers in writing within 30 days of becoming aware of unauthorized access to, or use of their sensitive information,[2] (iii) have disposal procedures that protect against unauthorized use or access, and (iv) maintain records that document compliance with the amended rule requirements.

The overall goal of the amendments the SEC made to Regulation S-P is to address technological changes regarding how firms obtain, share, and maintain customer information and promote greater accountability and transparency, while helping firms respond more effectively to cybersecurity threats and better protect the interests of their customers

With the June 3, 2026, compliance deadline for smaller Covered Institutions[3] fast approaching, this month’s Risk Management Tip provides guidance on current regulatory focus and preparation steps to help ensure compliance by the deadline.

Regulatory Focus

The SEC Division of Examinations has listed compliance with the amended Regulation S-P as a focus area in its 2026 examination priorities.[4] The Division has expressly stated that it will assess whether firms have developed, implemented, and maintain written policies and procedures that are consistent with the amended rule and properly “address administrative, technical, and physical safeguards for the protection of customer information.”

Preparation Steps

1. Assess current safeguarding controls and processes in place to determine what additional procedures are needed to safeguard customer “sensitive information” in addition to non-public information.
2. Determine if current internal breach notification procedures are adequate and whether they also adhere to applicable state requirements.
3. Confirm that internal roles for data security, vendor oversight, and incident escalation are clearly defined, and all supervised persons are trained and understand their responsibilities.
4. Review service provider/vendor contracts to determine if they contain provisions that address timely breach notification to both the firm and clients, and cooperation during investigations.
5. Perform a breach test to help ensure that responses will be timely and in line with the new requirements under amended Reg S-P.
6. Ensure there is a process for maintaining all books and records that are required under amended Reg. S-P.

Once the above have been addressed, the next steps will be to update firm policies and procedures, including incident response plan, to reflect the enhanced controls and processes implemented and train all supervised personnel on the new requirements and changes made by the firm.

Conclusion

The SEC and states take consumer privacy very seriously, so it is important to begin preparing sooner rather than later. Firms that fail to take proactive steps to align their policies, procedures, and vendor oversight practices with the new requirements of Reg. S-P by the compliance deadline risk heightened regulatory scrutiny, examination deficiencies, and potential enforcement action.

[1] Regulation S-P. SEC, www.sec.gov/rules-regulations/2024/06/s7-05-23.

[2] Defined in part in Regulation S-P as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”

[3] Covered Institutions not defined as “Large Covered Institutions” under amended Reg. S-P.  Mainly investment advisory firms with assets under management of less than $1.5 billion and investment companies with less than $1 billion in assets,

[4] U.S. Securities and Exchange Commission, Division of Examinations. 2026 Examination Priorities. U.S. Securities and Exchange Commission, 2025, www.sec.gov/files/2026-exam-priorities.pdf

Author: Amandeep Kalhar, Attorney and Tina Mitchelle, Paralegal Manager, Jacko Law Group, PC.

JLG works extensively with investment advisers, broker-dealers, investment companies, private equity and hedge funds, banks and corporate clients on securities and corporate counsel matters.  For more information, please visit https://www.jackolg.com/.

The information contained in this article may contain information that is confidential and/or protected by the attorney-client privilege and attorney work product doctrine. This email is not intended for transmission to, or receipt by, any unauthorized persons. Inadvertent disclosure of the contents of this article to unintended recipients is not intended to and does not constitute a waiver of attorney-client privilege or attorney work product protections.

The Risk Management Tip is published solely based off the interests and relationship between the clients and friends of the Jacko Law Group P.C. (“JLG”) and in no way be construed as legal advice. The opinions shared in the publication reflect those of the authors, and not necessarily the views of JLG. For more specific information or recent industry developments or particular situations, you should seek legal opinion or counsel.

You hereby are notified that any review, dissemination or copying of this message and its attachments, if any, is strictly prohibited. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions.