On September 25, 2025, the SEC held the first of three planned compliance outreach events to help firms prepare for and comply with the upcoming amendments to Regulation S-P (Reg S-P). This session, intended for larger firms, covered a wide range of topics from an overview of the coming changes to answering questions submitted about the amendments.
The SEC’s Guidance About Amendments to Reg S-P
- Don’t wait, prepare now: While it is possible that the SEC may delay the Reg S-P compliance date, the webinar sends a strong signal to the industry that the regulator is likely to hold to its December 3, 2025, compliance date (June 3, 2026, for firms with less than $1.5 billion in AUM). Firms should actively prepare for Reg S-P-related examinations, and ensure their incident response program, third-party oversight, and other Regulation S-P-related policies, procedures, and controls are ready to meet the SEC’s new expectations.
- Incident response programs will be scrutinized: Firms will be expected to demonstrate that their incident response program has the proper policies, procedures, controls, governance, and staffing and resources to be able to effectively detect, contain, and recover from incidents of unauthorized access or use of customer data. A particular focus was placed on the “detection” requirement of the amendments, and firms should be able to demonstrate how they actively monitor their networks and technology to identify potential incidents.
- Map your data: Firms are encouraged to work through data mapping and inventory exercises so they can demonstrate that they are aware of where their customer’s data resides, how it is used, and what protections and controls are in place for this data. This mapping will also help firms to more quickly detect incidents involving customer data and assess the potential impacts of the incident.
- When in doubt, notify customers: In response to direct questions from firms, the SEC reinforced that the amendments to Regulation S-P had limited exceptions to its customer notification requirements and the amendments presume the need to notify. Unless a firm can demonstrate that they engaged in a thorough investigation into an incident, and that the customer data involved in the incident would not reasonably cause substantial harm or inconvenience, they should be prepared to notify impacted customers. Firms should also be sure to preserve records about how they assessed the potential impact of the incident, the protections that were in place to safeguard the impacted data, and copies of notifications provided to customers whether sent by the firm or by service providers.
- Third-party oversight is essential: One of the most discussed aspects of the amendments was the requirement that service providers safeguard a firm’s customer data and notify the firm within 72 hours when there is an incident. The SEC reinforced the importance for firms to conduct due diligence on their service providers, obtain assurances that service providers will safeguard customer data, and that the firm will monitor these providers to make sure they are living up to their obligations. Firms should be prepared to provide the SEC with information about how they are conducting due diligence on their service providers, what risks they present, and the steps the firm has taken to manage risks presented by the providers.
Prepare for Regulation S-P Compliance
The SEC’s 2024 amendments to Regulation S-P introduced sweeping changes that will require firms to review and update how they safeguard customer data and detect and respond to incidents. With the December 3, 2025 deadline fast approaching, now is the time to prepare for Reg S-P compliance.
ACA offers a full suite of solutions to help firms prepare for compliance with Reg S-P, including readiness assessments and incident response plan reviews and testing. Leveraging our broader regulatory experience, we guide clients through complex requirements and ensure their cybersecurity strategies remain both compliant and resilient.
Ready to strengthen your Regulation S-P compliance strategy? Book a consultation with an ACA expert to assess your program and explore tailored solutions.