The SEC’s recent amendments to the Reg SP Privacy Notice expand the privacy and SEC cybersecurity obligations for financial institutions.
This post covers what’s new regarding Regulation S-P and outlines the steps firms should take now to remain compliant with these changes.
Key Takeaways
- The SEC’s updated Reg SP Privacy Notice expands requirements for incident response, customer notifications, vendor oversight, and documentation.
- Firms must notify affected customers of data breaches within 30 days of discovery.
- Compliance deadlines begin December 3, 2025, for large firms and June 3, 2026, for smaller firms.
- Early updates to response plans, vendor oversight, and recordkeeping are essential for compliance.
What’s New in Regulation S-P
Regulation S-P requires financial institutions to disclose when there’s been a breach in consumer data protection. The 2024 amendments propose a heightened responsibility to maintain a documented response paper trail.
Here’s a quick overview of those amendments and how firms should prepare:
1. Mandatory Written Incident Response Plans
With changes to the Reg SP Privacy Notice, firms must now maintain a comprehensive, written incident response plan. The response plan should cover procedures for:
- Detection
- Escalation
- Containment
- Investigation
- Recovery
Partnering with a trusted advisor to establish a documented response process can help your firm remain compliant with Regulation S-P.
2. Customer Notification Requirements
The SEC is clear that if sensitive customer information is accessed without authorization, firms must issue written notice to affected individuals within 30 days of discovery.
This is one of the most stringent notification windows in the industry, requiring a level of coordination that many firms haven’t yet built into their incident response plans.
When creating your incident response plans, consider the steps you’ll need to take to ensure timely notification.
3. Strengthened Vendor Oversight
The SEC rule now explicitly requires documented oversight of service providers. This includes:
- Due diligence
- Contractual expectations
- Continuous monitoring
- Validation that vendors maintain adequate security controls
Document how you plan to vet vendors and ensure they understand their obligations and responsibilities.
4. Expanded Recordkeeping
As part of the updated Reg SP Privacy Notice, firms must retain documentation for a minimum of five years for events relating to:
- Incidents
- Investigations
- Customer notifications
- Vendor oversight
Consider partnering with a trusted advisor to fully demonstrate the execution of security and privacy obligations.
Key Compliance Deadlines
Although updates to Regulation S-P were released by the SEC in May 2024, the compliance deadlines extend into 2025 and beyond.
As Greg Miller, CPA, CISA, and Vice President of Consulting Services at Assurance Dimensions, explains, “Deadlines for compliance include larger institutions with $1.5 billion or more in assets under management by December 3, 2025, and smaller institutions by June 2, 2026. No extensions have been granted at this point.”
Firms should assume these dates are concrete and should work to comply with these deadlines.
What Firms Should Do Now
The strongest compliance programs will take a proactive and structured approach. Consider:
- Reviewing Information Security and Incident Response Plan: Ensure every step is written, current, tested, and aligned with the new Reg S-P standards.
- Assessing Vendor Oversight and Due Diligence: Evaluate whether current vendor management practices meet the new SEC-defined expectations.
- Train staff and update procedures: Every employee with access to sensitive information should understand escalation paths, breach notification triggers, and their role in customer communications.
- Build an audit-ready documentation trial: The new five-year retention requirement means firms must be able to prove the maturity of their program.
How IT Advisory Support Reduces Compliance Risk
As Miller explains, “Regulation S-P updates cover key areas including vendor management, incident response, customer notification, access controls, and information security policies. Early preparation is critical for compliance.”
A trusted advisory partner can help translate regulatory requirements into a compliant response plan. Assurance Dimensions provides:
- Regulatory readiness assessments
- Incident response and vendor oversight frameworks
- Hands-on guidance from cybersecurity and compliance specialists
- Audit-ready documentation aligned with SEC and PCAOB expectations
Meeting the new standards will take time and clear documentation, making proactive planning essential.
Preparing for Compliance: Next Steps for Financial Institutions
With the 2025–2026 deadlines approaching, now is the time for financial institutions to take action to strengthen privacy protections and establish robust vendor oversight programs. Early preparation is the most effective way to minimize compliance risk and avoid last-minute operational strain.
If your firm needs support assessing readiness or building compliant frameworks, Assurance Dimensions can help.
Contact our IT Advisory team to get started.