As of June 3, 2026, smaller covered institutions are now subject to the expanded obligations imposed by the 2024 amendments to SEC Regulation S-P. With the compliance deadline…
As of June 3, 2026, smaller covered institutions are now subject to the expanded obligations imposed by the 2024 amendments to SEC Regulation S-P. With the compliance deadline having taken effect, smaller broker-dealers, investment companies, registered investment advisers, and transfer agents falling within the regulation's scope must have operational programs in place to satisfy the enhanced safeguarding, disposal, incident response, and vendor oversight requirements. The SEC has signaled that Regulation S-P compliance will be an examination priority, underscoring the importance of timely and well-documented implementation.
The amendments meaningfully expand the scope of information protected under Regulation S-P. The safeguarding and disposal rules now apply to all customer information handled by a covered institution, rather than being limited to a narrower category of nonpublic personal information. In practical terms, institutions should review their data inventories, classification practices, and retention and destruction protocols to confirm that they capture the broader universe of information now within the rule's reach.
A central feature of the amended framework is the requirement that covered institutions, including smaller entities, maintain a written incident response program. The program must be designed to detect, respond to, and recover from unauthorized access to or use of customer information. Closely tied to this obligation is the customer notification requirement, which generally directs covered institutions to notify affected individuals of a breach within 30 days. Institutions should ensure that escalation paths, decision-making authority, and notification templates are clearly documented and tested.
The amendments also formalize service provider oversight. Covered institutions are expected to implement and document due diligence, contractual protections, and ongoing monitoring of vendors that receive, maintain, process, or otherwise access customer information. Given the prevalence of outsourced technology, recordkeeping, and administrative functions among smaller entities, vendor management is likely to be a focal point of any SEC examination.
Smaller covered institutions should promptly assess and document their safeguarding policies, incident response program, customer notification procedures, and vendor management framework, and address any identified gaps. Maintaining clear records of these efforts will be important to demonstrating a reasonable, risk-based compliance posture.
This alert is provided for general informational purposes only and does not constitute legal advice. Clients should consult counsel for guidance tailored to their specific circumstances.