The U.S. Securities and Exchange Commission has adopted significant amendments to Regulation S-P, the rule that governs how financial institutions safeguard and handle nonpublic personal information. The changes, finalized in May 2024, mark the most substantial update to the regulation since its creation in 2000. With financial firms now managing far more customer data than they did two decades ago, the SEC moved to modernize the rule to reflect new risks, new technologies, and the rising frequency of data breaches.
Below is a breakdown of the new updates and what you can do to comply. If you need help with your compliance measures contact the compliance experts and team here at Captain Compliance for a free compliance audit.
Broader Definition of Customer Information
One of the most consequential updates is the expansion of what counts as “customer information.” Under the amended rule, the definition now includes any nonpublic personal information about a customer, regardless of whether the firm collected it directly or obtained it from another financial institution. The new definition also covers data received about customers of other institutions and former customers. This means the protections extend further than they did under the original rule, which focused more narrowly on information about a firm’s own direct consumers.
Strengthened Safeguards and Written Policies
Firms covered by Regulation S-P must now maintain comprehensive written policies and procedures designed to protect customer information from unauthorized access and security threats. These policies must address administrative, technical, and physical safeguards and must be reasonably designed to protect against anticipated risks. Although the original safeguards rule had similar intentions, the updated requirements are more detailed and impose greater accountability on institutions.
Incident Response Plans and Vendor Oversight
A key component of the amendments is the requirement that financial institutions develop and maintain a written incident response program. This program must outline how the firm will detect, respond to, and recover from unauthorized access to customer information. The rule also places new obligations on firms to oversee service providers that handle customer data. Contracts with vendors must require timely notification whenever a breach occurs, typically within 72 hours, enabling firms to assess and respond to incidents quickly.
Breach Notification Requirement
For the first time, firms subject to Regulation S-P are required to notify affected individuals if their information was accessed or is reasonably likely to have been accessed without authorization. Notification must occur as soon as practicable, generally within 30 days of discovering the incident, unless law enforcement determines that public notice would impede an investigation. Notices must include clear information about the nature of the breach, the data involved, and steps individuals can take to protect themselves.
Expanded Disposal and Record-Keeping Obligations
The amendments expand disposal rules to cover both customer information and consumer information, including information obtained from third-party sources. Institutions must also maintain detailed records documenting their compliance with the rule, including incident response actions, risk assessments, decisions about whether to notify customers, vendor oversight documentation, and any communications sent in connection with a data breach.
Who Must Comply and When
The updated requirements apply broadly to broker-dealers, investment advisers, investment companies, transfer agents, funding portals, and other covered institutions. Compliance timelines vary by firm size. Larger entities, such as advisers managing more than 1.5 billion dollars in assets and large broker-dealers, must comply by December 3, 2025. Smaller firms have until June 3, 2026, to meet the new obligations.
“What’s Next Larger entities will have 18 months after the date of publication in the Federal Register to comply with the amendments, and smaller entities will have 24 months after the date of publication in the Federal Register to comply.”
Why These Changes Matter
The amendments arrive at a time of increasing cybersecurity incidents targeting the financial sector. The SEC’s changes reflect a recognition that stronger baseline protections are needed to reduce systemic risk and provide consumers with greater transparency when their information may have been compromised. The new breach-notification requirement, expanded information definitions, and mandatory incident response plans collectively push financial institutions toward more structured and proactive data-security practices.
Steps Firms Should Take Now
Covered institutions should begin reviewing and updating their policies immediately. Action items include revising privacy and security policies to reflect the expanded definition of customer information, building or updating incident response procedures, assessing third-party vendor contracts, preparing customer notification templates, and strengthening record-keeping systems. Firms should also evaluate whether their current data disposal processes and internal controls align with the new requirements.
With enforcement deadlines approaching, early preparation will help firms meet their obligations and demonstrate a commitment to protecting customer information in an increasingly complex digital environment.
