Preparing for Regulation S-P and takeaways from the SEC’s session at the Incident Response Forum Masterclass 2025

1. Fraud Across the Emerging Technology Space

Firms that utilize or provide emerging technology should implement controls to ensure investor protection. The SEC will likely apply enhanced scrutiny to firms that use Artificial Intelligence (AI) or emerging technology in a manner that harms investors or diminishes investor confidence. D’Allaird highlighted the SEC’s heightened scrutiny of claims made by firms using AI. Firms should exercise caution when discussing AI and avoid overstating their usage or the features of any AI products offered to clients, as this can lead to "AI washing." Recently, the SEC charged the founder of a privately held technology startup with fraudulently soliciting investments and raising over $42 million through the sale of stock by making false and misleading statements about the company’s AI capabilities. 

Firms leveraging AI should also be mindful of legal obligations required to use the product. For instance, firms that use AI to process research should establish protocols to ensure compliance with any nondisclosure obligations required to access the AI tool.

2. Cybersecurity Compliance with Existing Regulations

Firms subject to cybersecurity regulations, such as Regulation S-P and Regulation Systems Compliance and Integrity (Regulation SCI), should be prepared to demonstrate full compliance during SEC examinations. 

The SEC adopted amendments to Regulation S-P (Amendments) on May 16, 2024, aiming to modernize and enhance the protection of customer information held by financial institutions. The Amendments address the evolving technological landscape and risks that have emerged since the rule’s original adoption in 2000.

1. Overview of the Amendments 

•  Incident Response Program: The Amendments require broker-dealers, investment advisers, investment companies, funding portals, and transfer agents (Covered Institutions) to develop, implement, and maintain comprehensive written policies and procedures for incident response programs. These programs must be designed to detect, respond to, and recover from unauthorized access to customer information. 

• Service Provider Oversight: Covered Institutions must also adopt policies and procedures reasonably designed to oversee and monitor third-party service providers. This includes ensuring that service providers (1) are capable of protecting customer information from unauthorized access, and (2) notify Covered Institutions no later than 72 hours after becoming aware of unauthorized access to customer information. 

• Customer Notification Requirement: In the event of unauthorized access to customer information, the Amendments require the Covered Institutions to notify the affected customers whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, as soon as practicable, but no later than 30 days after becoming aware of the incident. The notice to affected customers must include details about the incident, the nature of the data that was accessed, and guidance on how the affected customers can respond to protect themselves. The Amendments permit a delay if certain requirements are met where the notice poses a substantial risk to national security or public safety.

• Expanded Scope of the Rules: The Amendments also broadened the scope of information covered by Regulation S-P to include any nonpublic personal information collected from customers or received from other financial institutions. As a result, the amendments expand the group of customers protected by the disposal rule and safeguards rule. Additionally, the Amendments expand the safeguards rule to apply to transfer agents. 

• Recordkeeping and Annual Notice Amendments: Covered institutions, other than funding portals, are required under the Amendments to make and maintain written records documenting compliance with the safeguards rule and the disposal rule. The Amendments also conform Regulation S-P annual privacy notice delivery provisions to codify a statutory exception. 

• Compliance Date: Covered Institutions that are “larger entities” are required to comply with these amendments by December 3, 2025, and Covered Institutions that are not larger entities must comply by June 3, 2026. Notably, industry trade groups¹ recently submitted a request to Chairman Atkins for an extension of compliance dates and asked the Chairman to consider further amendments to Reg S-P to better align with existing federal and state requirements. Nevertheless, firms should continue to prepare to meet the compliance date.

3. Other Cyber-Related Misconduct

Firms should continue to prioritize cyber and data security practices to safeguard sensitive customer and investor information and guard against cyber-related misconduct. The SEC will likely be focused on cyber events that threaten market integrity and investor protection. During the Incident Response Masterclass, D’Allaird emphasized various tactics bad actors may use to target firms and customers, including using social media or fake websites to perpetrate fraud, hacking into material nonpublic information (MNPI), and account takeover schemes. 

D’Allaird’s remarks underscore that cybersecurity is a critical regulatory priority for the SEC, and firms must continue to evolve their defenses to meet emerging threats. Firms that do not implement sufficient measures to protect against these threats may also face regulatory penalties.

__________

1 The request was submitted jointly by the Securities Industry and Financial Markets Association (SIFMA), SIFMA Asset Management Group (SIFMA AMG), American Bankers Association (ABA), Bank Policy Institute (BPI), Institute of International Bankers (IIB), Investment Adviser Association (IAA), Investment Company Institute (ICI), Insured Retirement Institute (IRI), and the Committee of Annuity Insurers (CAI).