Deadline to Comply With Regulation S-P Amendments Is Here for Larger Entities

The deadline for “Larger Entities” to comply with the new data privacy and security requirements in the amendments to Regulation S-P is December 3, 2025.[1]

As we have detailed previously, the U.S. Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P on May 15, 2024, imposing additional requirements on financial institutions designed to enhance protection of consumer financial information. Regulation S-P applies to registered investment advisers, investment companies, broker-dealers (including fund portals) and transfer agents.

For Larger Entities that have not done so already, the time is now to reevaluate their information security policies and procedures to address the new requirements. Although other covered entities have until June 3, 2026 to comply, they should also begin working towards compliance.

Some of the key new requirements for covered entities include:

1. Incident Response Program. Develop, implement and maintain written policies and procedures for an incident response program that are reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information.
2. Data Breach Notification Requirements. Provide clear and conspicuous notice to all affected individuals as soon as practicable but not later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.
3. Recordkeeping. Maintain comprehensive records of compliance with the amended rules and retain other records no longer than the length of time specified in the amendments, which vary according to the type of covered institution.
4. Service Provider Oversight. Establish written oversight policies for all service providers handling customer information or customer information systems, including requiring service providers to protect against unauthorized access to or use of customer information and notify covered entities as soon as possible, but no later than 72 hours after discovering a breach.
5. Safeguard Customer Information. Adopt written information security policies and procedures to address administrative, technical and physical safeguards that are designed to detect, prevent and respond to unauthorized access or use of customer information (which includes information from both a covered entity’s own customers and the customers of other financial institutions).

For more specific details on these new requirements, please see our earlier client alert, SEC Adopts Amendments to Regulation S-P (June 5, 2024).

Paul Hastings’ Data Privacy and Cybersecurity practice regularly advises companies on compliance with cybersecurity requirements at the federal, state, and international levels. If you have any questions concerning whether your company is subject to the amendments to Regulation S-P or how to comply, please do not hesitate to contact a member of our team.