Reminder: "Smaller Entities" Must Comply with Amended Regulation S-P by June 3, 2026

"Smaller entities" subject to Regulation S-P (Reg S-P) have just three weeks remaining—by June 3, 2026—to comply with new cybersecurity and data breach-related requirements introduced by amendments to the regulation in 2024. Reg S-P applies to broker-dealers, registered investment advisers (RIAs), investment companies (funds), funding portals (crowdfunding intermediaries), and transfer agents regulated by the Securities and Exchange Commission (SEC) (collectively, covered institutions). The amendments require each covered institution to establish an incident response program, establish procedures to notify customers of certain data breaches within 30 days, oversee service providers, and maintain compliance documentation.

The SEC has identified compliance with Reg S-P as a priority for regulatory examinations in fiscal year 2026. Among other things, the SEC's Division of Examinations will assess whether covered institutions "have developed, implemented, and maintained policies and procedures in accordance with the rule's new provisions that address administrative, technical, and physical safeguards for the protection of customer information."

Overview of Reg S-P

Reg S-P was first adopted by the SEC in 2000 to implement the data privacy and security provisions of the Gramm-Leach-Bliley Act (GLBA). The regulation includes various privacy-focused requirements, which are similar to those in GLBA implementing regulations issued by the Consumer Financial Protection Bureau and Federal Trade Commission for other types of financial institutions. Those privacy-focused requirements include obligations to deliver privacy notices to consumers and to provide consumers an opportunity to opt out of certain disclosures of nonpublic personal information to non-affiliated third parties.

Reg S-P also requires covered institutions to adopt policies and procedures with administrative, technical, and physical safeguards reasonably designed to protect customer information from unauthorized access or use (the Safeguards Rule). In 2004, the SEC amended Reg S-P to implement provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) by requiring covered institutions to take reasonable measures to properly dispose of consumer report information (the Disposal Rule).

2024 Amendments

The SEC amended Reg S-P including both the Safeguards Rule and the Disposal Rule, in 2024. We discussed the amendments in depth in a prior blog post shortly after the SEC issued the amendments.

The SEC staggered the deadline to comply with the amendments by entity size. "Larger entities"—those that exceed certain thresholds, such as funds with more than $1 billion in assets and RIAs with more than $1.5 billion in assets under management—were required to comply by December 3, 2025. "Smaller entities"—those that do not meet the "larger entities" thresholds—must comply by June 3, 2026.

Key Requirements

As discussed in our prior blog post, the amendments to Reg S-P impose various cybersecurity and data breach-related requirements on covered institutions, including obligations to:

• Maintain a written incident response program. Covered institutions must adopt, implement, and maintain written policies and procedures for an incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of "customer information. "The program must include procedures to assess the nature and scope of any security incident, identify the customer information and systems affected, take steps to contain and control the incident, and notify affected individuals. "Customer information" is broadly defined to mean "any record containing nonpublic personal information" about a customer of a financial institution that is in the possession of or processed on behalf of a covered financial institution. Notably, customer information may pertain to customers of the covered financial institution or to customers of another financial institution that provided the information to a covered financial institution.
• Notify affected individuals of breaches of "sensitive customer information." Covered institutions must provide clear and conspicuous notice to affected individuals as soon as practicable, but not later than 30 days, after determining that unauthorized access to or use of sensitive customer information occurred or is reasonably likely to have occurred (notice to the SEC is not required). "Sensitive customer information" is defined broadly as "any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience" to an individual identified in the information. Given this broad definition, covered institutions will have to notify affected individuals of breaches affecting a much wider range of personal information than is required under state data breach laws, which generally apply only to specifically enumerated categories of information.
  • Notification to affected individuals is not required if the institution determines, after a reasonable investigation, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in "substantial harm or inconvenience." The SEC expressly declined to define "substantial harm or inconvenience," stating that whether harm or inconvenience is "substantial" "would depend on the particular facts and circumstances surrounding an incident. "Covered institutions do not need to design programs and incur costs to protect customers "from harms of such trivial significance that the customer would be unconcerned with remediating them." The SEC noted, however, that "personal injury, financial loss, expenditure of effort, or loss of time, each could constitute a substantial harm or inconvenience depending on the particular facts and circumstances."

• Oversee service providers. Covered institutions must establish, maintain, and enforce written policies and procedures reasonably designed to require oversight—including through due diligence and monitoring—of service providers with access to customer information. The policies and procedures must be reasonably designed to ensure service providers take appropriate measures to: (i) protect against unauthorized access to or use of customer information; and (ii) provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware of a breach involving customer information. The SEC's adopting release states that covered institutions might contractually require service providers to provide notice within 72 hours, but the amendments do not expressly require covered institutions to add such a requirement to their service provider agreements.
• Maintain records. Covered institutions must maintain written records documenting compliance with various Reg S-P provisions, including: (i) policies and procedures for safeguarding customer information, maintaining an incident response program, overseeing service providers, and securely disposing of customer information; (ii) documentation of any actual or suspected incident, including the resulting investigation, response, and any determination that customer notification was or was not required; (iii) copies of any customer notifications sent; and (iv) documentation of service provider agreements. The amendments specify retention periods for each type of records.

The amendments also implement an exception to the annual privacy notice requirement pursuant to the Fixing America's Surface Transportation (FAST) Act. A covered institution does not need to deliver an annual privacy notice if it has not changed its privacy practices since the last notice and if it only shares nonpublic personal information with non-affiliated third parties in ways that do not trigger opt-out rights.

Increase in Scope of Reg S-P

The amendments expand Reg S-P's scope in several important ways:

• Transfer agents. Both the Safeguards Rule and the Disposal Rule now apply to transfer agents registered with the SEC or any "appropriate regulatory agency." Previously, transfer agents were not covered by the Safeguards Rule, and only SEC-registered transfer agents were covered by the Disposal Rule.
• Private funds. RIAs that advise only private funds (funds typically available only to high net worth and institutional investors) may now be within Reg S-P's reach for the first time. Reg S-P previously used the term "customer records and information," which was limited to customers of the covered institution itself. The amendments replace that term with the broader definition of "customer information," which includes information of customers of another financial institution provided to the covered institution. Accordingly, if RIAs advise private funds that are financial institutions, and if those private funds provide the RIAs with "customer information" as defined, the RIAs would be required to comply with Reg S-P with respect to that information. Private funds themselves are not subject to Reg S-P.
• Harmonized coverage of customer information. The amendments also harmonize the type of information covered by the Safeguards Rule and the Disposal Rule. Previously, the two rules applied to different types of personal information. Now, both rules apply to "customer information" as defined.

Next Steps for Smaller Entities

Smaller entities that have not finalized compliance should prioritize the following ahead of the June 3 deadline:

• Inventory customer information. As discussed, "customer information" is defined broadly as records containing nonpublic personal information about a customer of a financial institution—even if the customer is not a customer of the covered institution. Covered institutions should inventory the customer information in their possession and the customer information maintained on their behalf by vendors to determine the scope of their compliance obligations under the Reg S-P amendments.
• Refine (or develop) an incident response plan. Covered institutions should revisit (or draft) their incident response plans to address requirements introduced by the Reg S-P amendments. Among other things, covered institutions should confirm that their incident response plans address the 30-day customer notification requirement and the need to assess whether an incident is likely to create a risk of "substantial harm or inconvenience. "Tabletop exercises can provide covered institutions an opportunity to test their incident response plans and educate response team members about the new Reg S-P requirements.
• Review service provider oversight. Covered institutions should review their policies and procedures for overseeing and conducting diligence on their service providers that handle customer information. In particular, covered institutions should review their service provider agreements to assess whether to seek amendments to address the 72-hour notification timeline for service providers to report breaches of sensitive customer information.
• Update Record Retention Schedules. The Reg S-P amendments require covered institutions to retain certain policies and procedures, records of security incident investigations, service provider agreements, and other materials for specific periods of time. Covered institutions should update their record retention schedules to require compliance with these requirements.

+++

Michael Borgia is a partner in the Washington, D.C., office and Michael Butowsky is of counsel in the New York office of DWT. For questions or more insights, reach out to the authors or another member of our privacy & security and financial services teams and sign up for our alerts.