Preparing for the SEC Amendments to Regulation S-P
On May 16, 2024, the Securities and Exchange Commission (SEC) adopted long-awaited amendments to Regulation S-P, the rule governing how financial institutions safeguard and dispose of customer information. These changes mark the most significant update in over two decades—and every broker-dealer, registered investment adviser, investment company, business development company, and transfer agent must take notice.
At Gryphon Compliance, we see this as more than a regulatory obligation. It’s a chance for firms to strengthen client trust, streamline oversight of vendors, and modernize their entire approach to data protection.
Who Must Comply—and By When
The SEC set two compliance deadlines:
December 3, 2025, for larger entities
June 3, 2026, for smaller entities
Definitions: Larger vs. Smaller Entities (Regulation S-P)
Note: “Smaller entity” status is based on SEC/RFA definitions and affiliation rules; affiliation with a larger entity generally disqualifies small-entity status.
Key Requirements Firms Need to Prepare For
The amendments are sweeping, and they require a coordinated compliance response.
Highlights include:
- Incident Response Programs: Covered institutions must adopt written policies and procedures that outline specific steps for responding to unauthorized access to sensitive client data. Crucially, these programs must include notification of affected individuals within 30 days of discovery.
- Service Provider Oversight: Institutions must extend their policies to cover risks from vendors, including written oversight procedures and ongoing monitoring.
- Transfer Agents Included: Transfer agents are now explicitly covered under the Safeguards and Disposal Rules.
- Customer Information Disposal: Written procedures must address secure disposal of customer data.
- Privacy Notice Updates: Annual privacy notices will align with the Gramm-Leach-Bliley Act amendments, reducing unnecessary disclosures.
- Recordkeeping Expansion: Firms must maintain documentation demonstrating compliance with the amendments to the regulation.
What’s Changing in Practice
- Expanded definition of “customer information” under the Safeguards/Disposal Rule
- Mandatory written incident response plans with detailed, tested procedures
- Conspicuous breach notifications for any compromise of sensitive client data
- Defined standards for “reasonable” investigations following incidents
- Stronger diligence and monitoring obligations for vendors
- Streamlined privacy notices in certain circumstances
- More robust recordkeeping requirements
How Firms Should Respond Now
At Gryphon Compliance, we recommend firms use the coming months to:
1. Conduct a Gap Analysis – Compare current data protection policies against the enhanced requirements.
2. Design or Update Incident Response Plans – Ensure that policies and procedures are written, actionable, and address vendor-related risks.
3. Enhance Vendor Oversight – Expand diligence and monitoring protocols for service providers handling client data.
4. Establish Document Retention Protocols – Ensure records demonstrate compliance across the lifecycle.
5. Evaluate Privacy Notices – Update delivery practices to meet the new exemptions.
Gryphon Compliance’s Take
The SEC’s message is clear: data protection is investor protection. These rules elevate expectations not only for cybersecurity readiness but also for governance, accountability, and transparency.
At Gryphon Compliance, we help firms stay ahead of regulatory changes with tailored programs that go beyond check-the-box compliance. For Regulation S-P, that means transforming requirements into practical safeguards that protect clients, reduce risk exposure, and prepare your firm for regulatory scrutiny.
Now is the time to act—before the deadlines approach.
Jonathan Wowak is Director of Gryphon Compliance Services LLC. He can be reached at jwowak@gryphongroup.us
