Welcome to “SERC’ling Up,” your resource for staying ahead in today’s fast-evolving financial landscape. This newsletter delivers perspectives on the latest enforcement trends, regulatory updates and high-stakes developments affecting broker-dealers, investment advisers, financial institutions and corporate clients. Drawing on the firm’s blend of government and industry experience, “SERC’ling Up” provides actionable intelligence to help clients anticipate risks, respond effectively to scrutiny and remain resilient in a shifting regulatory environment.
In a recent speech, Acting Director of the SEC’s Division of Examinations (Exams) Keith Cassidy reminded SEC registrants of the new requirements imposed by the amendments to Regulation S-P. He noted that the dates for compliance are approaching and provided information about how Exams intends to proceed in anticipation. The bottom line on compliance preparedness is that there is no better time than the present, particularly for larger entities and most broker-dealers, who have the earliest compliance date of Dec. 3, 2025. Smaller entities must comply with the amendments by June 3, 2026.
Covered institutions should assess their readiness and prepare for the compliance date by reviewing their written cyber incident response plans. Those plans should include policies and procedures that address 1) protecting their customers’ sensitive data, 2) customer notification processes if that data is compromised, and 3) oversight of service providers, including due diligence and ongoing monitoring.
New Requirements
The amendments to Reg S-P were adopted on May 16, 2024, to provide customers enhanced protections for their sensitive data. The amendments require covered institutions to implement a written incident response program that includes policies and procedures that are reasonably designed to help detect, respond to and recover from unauthorized access to or use of customer information. Registrants are also required to notify affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. That notice must be provided as soon as practicable but not later than 30 days after becoming aware that unauthorized access or use of customer information occurred or is reasonably likely to have occurred. The amendments include a risk-of-harm analysis and notification content requirements.
Registrants also must implement and enforce written policies and procedures to perform oversight, including due diligence and monitoring, of service providers. The amended Reg S-P defines “service provider” as “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.”[1] These policies and procedures must be reasonably designed to ensure that service providers take appropriate measures to protect against unauthorized access to or use of customer information, and provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system. Upon receipt of such notification, a covered institution must initiate its incident response program. Acting Director Cassidy noted that “while covered institutions may outsource their operations, they may not outsource their ultimate obligation to comply with Regulation S-P.”
Next Steps
Acting Director Cassidy stated that exams conducted over the next several months will inquire about Reg S-P readiness, not with the intent to cite registrants for noncompliance but to check on registrants’ progress toward compliance and to report to the Commission on the overall levels of readiness before the compliance dates.
To promote awareness and help firms prepare for these new requirements, staff in the Division of Examinations and the Divisions of Investment Management and Trading and Markets will host three events to inform firms about what to expect when interacting with the examination team during an examination where Reg S-P is in scope.
Implications
Acting Director Cassidy’s speech is significant beyond its specific content. The Reg SP amendments were adopted during the last year of the Biden administration. There have been questions about how SEC Chair Paul Atkins and the new Republican majority at the Commission would view this rule. While Acting Director Cassidy’s speech includes the familiar disclaimer that its contents reflect only his personal views and not those of the Commission, the fact that an acting director publicly gave these remarks strongly suggests that the Commission anticipates that these amendments will go into compliance as scheduled and that the Commission will support examining for compliance with their terms.
Notably, Acting Director Cassidy did not discuss a significant customer notification exception. The presumption that customers must be notified of a breach involving their data is rebuttable should the registrant determine, following a reasonable investigation, that “sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.”[2] Unfortunately, Acting Director Cassidy did not provide interpretive guidance on this exception in his speech, leaving unexplored how broadly or narrowly Exams and other divisions plan to apply it.
[1] 17 CFR 248.30(d)(10).
[2] 17 CFR 248.30(a)(4)(i).
