United States: SEC Compliance Outreach on Regulation S-P for Large Firms

Sep 29 2025
Browse archives for September 29, 2025
Posted in

Investment Manager Regulation

Tagged with , , , , ,
Share

By: Jessica D. Cohn and Yonathan Y. Tewelde

On 25 September 2025, staff from the US Securities and Exchange Commission’s (SEC) Divisions of Examinations, Investment Management, and Trading and Markets hosted a webinar discussing the amendments to Regulation S-P and what to expect when Regulation S-P is in scope of an exam. The amendments, among other things, require brokers, dealers, registered investment advisers, investment companies, and transfer agents (covered institutions) to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately.

Incident Response Program Framework

The staff indicated that, while there is no prescriptive requirement for a covered institution to follow the NIST cybersecurity framework or the ISO standard, it will leverage such guides to assess a covered institution.

Oversight of Service Providers

The staff noted that the ultimate responsibility to protect customer information lies with the covered institution. If a service provider has access to or stores customer information, covered institutions must conduct appropriate due diligence and ongoing monitoring of such service provider to ensure that it takes appropriate measures to protect against and, if necessary, respond to breaches.

Examination Focus

The staff of the Division of Examinations will focus exams based on the covered institution’s network structure. The staff will seek to understand, among other information, how customer data is utilized, collected and managed within the network and moved throughout the organization and what controls are in place to protect the data. The staff expects to see an iterative risk assessment process and that the incident response program can achieve the goal of identifying a breach.

The compliance date for large firms is 3 December 2025. Our lawyers are available to advise covered institutions on compliance with the amendments.

Copyright © 2025, K&L Gates LLP. All Rights Reserved.