- in United States
- with readers working within the Pharmaceuticals & BioTech industries
- within Transport and Cannabis & Hemp topic(s)
In May 2024, the SEC adopted amendments (Amendments) to modernize Regulation S‑P (Reg S‑P), the agency's framework for protecting consumer personal information at designated financial institutions (Covered Institutions). The Amendments substantially expand requirements for safeguarding customer information, including mandates to establish written incident response programs, notify customers of data breaches, implement additional service provider oversight and meet new recordkeeping require ments. The Amendments also broaden the scope of Covered Institutions to include all transfer agents, whether registered with the SEC or another appropriate regulatory agency.
Large Covered Institutions – including SEC-registered investment advisers with $1.5 billion in assets under management, investment companies with $1 billion in net assets and all broker-dealers that are not small institutions under the Securities Exchange Act of 1934 – were required to be in compliance by December 3, 2025. All other covered institutions must comply by June 3, 2026.
The Amendments' changes pertaining to notice and incident response program requirements will prove particularly challenging for Covered Institutions, including investment advisers. This article fo cuses on those challenges and offers practical compliance guidance. While large Covered Institutions already may have updated policies and procedures, this article highlights areas in which more prepa ration may be needed.
See "What Regulated Companies Need to Know About the SEC's Final Amendments to Regulation S‑P" (Jul. 24, 2024).
SEC Focus on Cybersecurity
The SEC adopted Reg S‑P in 2000 under the Gramm-Leach-Bliley Act to protect sensitive consumer PI at Covered Institutions. Historically, Reg S‑P has obligated such institutions to implement administra tive, technical and physical measures to safeguard consumer data (Safeguards Rule), ensure appropri ate disposal of consumer information (Disposal Rule), and implement privacy notices and opt-out protections.
On March 15, 2023, the SEC proposed amendments to Reg S‑P to "address the expanded use of tech nology and corresponding risks," which were adopted on May 16, 2024, largely as proposed.
In its 2026 exam priorities, released on November 17, 2025, the SEC emphasized its focus on cyberse curity as a "perennial examination priority" and noted that "examinations will assess compliance with Regulation S‑P." In particular, examinations will focus on "firms' policies and procedures, internal con trols, oversight of third-party vendors, and governance practices." Further, the SEC noted:
[I]n preparation for the compliance date of the Commission's amendments to Regulation S‑P, the Division will engage with firms during examinations about their progress in preparing to estab lish incident response programs reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. After the applicable compliance dates, the Division will examine whether firms have developed, implemented, and maintained policies and procedures in accordance with the rule's new provisions that address administrative, tech nical, and physical safeguards for the protection of customer information.
Cybersecurity continues to be a perennial enforcement risk. For example, in late November 2025, the Commission brought and settled an administrative and cease-and-desist proceeding against a dually registered firm, finding violations of, among other things, Reg S‑P.
See "SEC Examinations Staff Shine a Light on How Registrants Are Selected and Ways to Excel During an Exam" (Jul. 16, 2025).
Incident Response Program Requirement Challenges
Core to the Amendments is the requirement for covered institutions to implement a written incident response program reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information, including customer notification procedures.
New to Advisers
Advisers often deal with institutional investor information rather than broad swaths of personal infor mation. Since there historically has not been a federally applicable cybersecurity regulation requiring customer notification of an incident, advisers have largely been left out of the incident response land scape. This is about to change significantly, and a standalone policy will not accomplish the changes needed to implement a response program.
See "SEC Staff Discuss Regulation S‑P Amendments and Related Examination Processes" (Oct. 15, 2025).
Necessary Procedures
The requisite response program must include procedures to:
- assess the nature and scope of any incident involving unauthorized access to or use of customer information, and identify the customer information systems and types of customer information that may have been accessed or used without authorization;
- take appropriate steps to contain and control the incident to prevent further unauthorized ac cess to or use of customer information; and
- notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, unless the covered institution determines, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.
Distinction Between a Policy and a Robust Incident Response Program
The Amendments call for a response program – not merely a standalone policy document, but a com prehensive framework comprised of multiple policies and procedures. An incident response plan is a key component of a response program and guides an organization's incident handling efforts. An inci dent response plan typically addresses:
- the identification of incident response team members as well as their roles and responsibilities;
- procedures for discovering, triaging, assessing and responding to incidents, including evidence preservation and legal privilege considerations;
- retention of third-party forensic investigators and other providers;
- insurance availability and obligations;
- assessment of applicable legal requirements and regulatory obligations;
- internal and external communications; and
- engagement with law enforcement.
An incident response program includes this plan but also comprises an organization's processes for detecting and responding to cybersecurity threats, breaches and incidents. It includes measures that involve having internal and external stakeholders in place, employee training, tabletop exercises, and processes for reviewing and updating the plan.
Industry standards, such as those of the National Institute of Standards and Technology (NIST), have emerged in incident response and are widely followed and recognized, including by the SEC. NIST Special Publication 800‑61r3 sets forth Incident Response Recommendations and Considerations for Cyber Risk Management as a supplement to its Cybersecurity Framework 2.0. An organization's inci dent response procedure might be informed by the NIST incident response lifecycle framework, which maps to the NIST CSF 2.0 functions, namely: Govern, Identify, Protect, Detect, Respond and Recover.
Customer Notification Requirement Challenges
The Reg S‑P customer notification requirement will prove particularly challenging for advisers and other Covered Institutions. Covered Institutions must provide notice to customers of an incident they or one of their service providers experienced, unless the Covered Institution has determined, after a reasonable investigation, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. The notice must be clear and conspicuous and must be provided to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.
Presumption of Notification
If an incident of unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, but the covered institution is unable to identify which specific individuals' sensitive customer information has been accessed or used without authorization, the Covered Institution must provide notice to all individuals whose sensitive customer information resides in the customer information system that was, or was reasonably likely to have been, accessed or used with out authorization.
Given the difficulty in meeting the 30‑day timeline, advisers may be under pressure to conduct a data analysis of all potentially impacted sensitive customer data in the event of a cybersecurity incident impacting a customer information system. In the case of a third-party breach, the adviser may not be able to rely on the service provider to provide the impacted data.
Notwithstanding the foregoing, if the Covered Institution reasonably determines that a specific individual's sensitive customer information that resides in the customer information system was not accessed or used without authorization, the Covered Institution is not required to provide notice to that individual.
Need for Affirmative Determination in 30 Days
The notification requirement is framed such that advisers must affirmatively determine that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would re sult in substantial harm or inconvenience within the 30‑day timeline in order to conclude that notice is not required for an in-scope incident.
Specifically, the Amendments require Covered Institutions to provide notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer in formation has occurred or is reasonably likely to have occurred, unless the U.S. AG determines that the notice poses a substantial risk to national security or public safety.
In incident response, the first priority is to identify the source of unauthorized access and shut it down. The second priority is to mitigate risk of harm to the business and individuals. Identification of impacted data, while part of incident response, is done concurrently while the incident response team works to identify the root cause and contain the incident. If the Reg S‑P clock starts the moment an organization becomes aware of a reasonable likelihood of unauthorized access to customer informa tion, providing notification within 30 calendar days will be quite challenging unless the organization is very prepared – and that assumes the unauthorized access is within the organization itself. The chal lenge increases significantly if the unauthorized access has occurred in a customer information sys tem maintained by a service provider.
To view the full article click here.
Goodwin partners Brynn Peltz, Jonathan Hecht and Gregory Larkin; counsel Cynthia Wells; and asso ciate Jacob Lee contributed to this article.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
