On May 16, 2024, the SEC, under former Chair Gary Gensler, adopted sweeping amendments to Regulation S-P, which governs the privacy and data security of nonpublic consumer personal and financial information for a broad range of financial institutions. The amendments, effective August 2, 2024, introduced new requirements for incident response, customer notification, service provider oversight, and record-keeping, as well as expanded the scope of covered institutions and protected information. Compliance with the amendments will be implemented in phases based on covered entity size: larger entities are required to comply by December 3, 2025, while smaller entities have until June 3, 2026.
However, a year after the amendments were adopted, then-Acting SEC Chair Mark Uyeda, a Trump-appointed Republican who succeeded Gensler, a Democrat, painted a different vision for what the SEC’s priorities ought to be when it comes to privacy and data security. "Let's try and not be the cybersecurity cop," was Uyeda’s sentiment, as expressed in public remarks delivered to the Managed Funds Association’s Legal and Compliance Conference on May 13, 2025. Uyeda also used the occasion to color as questionable the SEC’s congressional mandate to exercise certain types of enforcement authority over privacy and cybersecurity matters. Uyeda’s remarks seemed to portend that the SEC, now under the leadership of Trump-appointed Chair Paul Atkins, will take a less “enforcement-first” approach to privacy and data security and will instead work with entities that have been the victim of a cyber incident.
It's not the first time Uyeda has cast doubt on the SEC’s role as cybersecurity watchdog. In an October 2024 joint statement, Commissioners Uyeda and Hester Peirce (also a Republican) were seeing red as they criticized the SEC for bringing charges against four companies for allegedly materially deficient disclosures relating to certain cybersecurity breaches. As discussed in our prior article, the dissenters argued, among other things, that the majority had not performed an adequate analysis of whether the alleged disclosure deficiencies actually were “material” under
well-established applicable legal standards. See “SEC Commissioners on the Hunt for Materiality: Disagree on Cybersecurity Enforcement Actions,” Expect Focus – Life, Annuity, and Retirement Solutions (January 2025).
Time will tell whether the type of new enforcement policy that Uyeda’s remarks appear to have sketched out will become a reality or prove merely to have been a convincing artistic illusion. In any event, the December 3, 2025, deadline for the initial phase of compliance with the significantly expanded version of Regulation S-P still seems to be very real and is fast approaching.
