The SEC’s Long-Awaited Overhaul
For the first time in over twenty years, the Securities and Exchange Commission (SEC) has significantly updated Regulation S-P, changing how financial firms are required to protect client data. The amendments to the Rule, adopted in May 2024, introduce mandatory written incident response plans, customer breach notifications, and formal oversight procedures for vendors. While these new requirements broadly apply to all broker-dealers and SEC-registered investment advisers, their greatest impact will be on smaller firms, which often depend on third-party technology and custodial platforms for managing data.
Historically, Regulation S-P was focused on annual privacy notices and basic safeguards. Those days are over. The 2024 amendments reflect the SEC’s growing concern that even minor compliance lapses at boutique firms can expose thousands of investor records through a single vendor breach.
Regulation S-P Modernization: Why It Matters
When the SEC adopted Regulation S-P in 2000, cybersecurity meant locking a file cabinet. In today’s world of digital custodians and third-party vendors, that protection model is obsolete. The 2024 amendments respond to years of high-profile data incidents that exposed sensitive investor information across small and large firms alike. According to the SEC’s adopting release in May 2024, financial institutions reported nearly 1,200 data breaches in 2023, affecting millions of customers. The SEC’s goal is to standardize how regulated entities detect, contain, and disclose such incidents.
This expansion covers both large and small financial firms, but it directly affects smaller firms that historically relied on clearing brokers or custodians to meet data security obligations. The SEC emphasized that “reliance without oversight” is insufficient; firms remain accountable for protecting customer information regardless of delegation.
What’s Changing
At the center of the new rule is the requirement for a written, risk-based incident-response program capable of identifying unauthorized access and mitigating harm. Every broker-dealer and SEC registered adviser must now have a documented plan to detect, respond to, and recover from unauthorized access to “customer information.” Additionally, if that access involves sensitive data, the firm must notify each affected individual within 30 days of discovery.
For smaller firms, this is a significant shift. Many have relied on clearing firms or third-party custodians to handle cybersecurity. Under the new Reg S-P, delegation without oversight is no longer enough. The SEC made clear that each firm remains fully responsible for protecting client data, regardless of who holds or processes it.
In practice, this means firms must integrate cybersecurity directly into their compliance programs. Written supervisory procedures must define escalation steps, designate response personnel, and include customer notification templates. Firms will also need to ensure that their service agreements with third-party vendors, particularly with CRMs, cloud platforms, and data vendors, require prompt reporting of any security incidents.
Key Requirements: What Firms Must Implement
- Incident-Response Program. Every covered firm must maintain written procedures to detect, respond to, and recover from unauthorized access. Policies should detail protocols for incident assessment, containment, recovery, and notification.
- Customer Notification. If a breach involves or is likely to involve unauthorized access to sensitive data, affected customers must be notified no later than 30 days after discovery. This is a landmark change: Reg S-P previously imposed no such duty.
- Service-Provider Oversight. Firms must conduct due diligence, impose written contractual obligations, and monitor vendors handling customer data. Service providers must promptly notify the firm of any data incident, enabling the firm to meet its 30-day notice obligation. Additionally, the amendments create an explicit duty to monitor and manage service providers. Small firms that depend on third-party technology vendors, outsourced compliance platforms, or portfolio-accounting systems will need to review their contracts and ensure those vendors have adequate data-protection controls, written notification obligations for breaches, and ongoing monitoring rights for the firm.
- Broadened “Customer Information” Scope. The rule now covers any data received from another financial institution, even if the recipient no longer maintains a direct customer relationship with that institution. Advisers using sub-advisers or custodians must treat those records as covered data.
- Policies, vendor evaluations, and incident records must be retained consistent with Exchange Act and Advisers Act recordkeeping standards, typically five years.
How the SEC Defines “Small Entity”
The industry often assumes “small entity” means small firm, for example, FINRA small-firm classification or limited RAUM. Under the amended Reg S-P, that assumption is incorrect.
The SEC relies on pre-existing small-entity definitions, which are narrow and rarely satisfied.
- Broker-Dealers — Exchange Act Rule 0-10(c) – A broker-dealer is a small entity only if both conditions are met: Total capital of less than $500,000 (not net capital), and no affiliation with a non-small entity.
- Investment Advisers — Advisers Act Rule 275.0-7 – An IA is a small entity only if it: Has AUM under $25 million, is not affiliated with a larger adviser, and is eligible for SEC registration only because it advises a registered investment company or business development company (BDC).
The practical impact of the definitions is that a large number of broker-dealers and SEC-registered advisers qualify as large entities.
Compliance Timeline
The rule’s effective dates reflect an acknowledgment of small-firm constraints. Large firms must comply by December 3, 2025, while smaller broker-dealers and advisers have until June 3, 2026.
What the SEC and FINRA Will Expect
For broker-dealers, expect FINRA examiners to align their review programs with these new obligations. Reg S-P compliance will likely intersect with Rule 3110 (Supervision), Rule 4370 (Business Continuity Planning), and emerging guidance on cybersecurity risk management. FINRA has already signaled that firms must demonstrate both incident-response readiness and vendor-risk oversight at the supervisory-system level.
For investment advisers, the SEC’s Division of Examinations will review compliance under Advisers Act Rule 206(4)-7, ensuring that written policies include specific cyber-incident and vendor-management procedures. Advisers that outsource data processing to custodians or administrators will be expected to demonstrate oversight and testing, not merely rely on third-party assurances.
The Bottom Line
The modernization of Regulation S-P represents more than a privacy update; it is a cultural shift toward operational accountability in cybersecurity. For both large and small broker-dealers and advisers, it underscores a clear message: protecting client data is not optional, and oversight cannot be outsourced.
With the deadlines approaching, now is the time for firms to get ahead of the curve and assess their vulnerabilities, strengthen vendor oversight, and build defensible documentation before regulators start asking questions.