This article was authored by John Vekich and Colleen Corwell from Kroll’s Financial Services Compliance and Regulation practice, and Eric Hasty, Tiernan Connolly and Adriana Lamar from Kroll’s Cyber and Data Resilience practice.
Financial institutions are already accustomed to complying with Regulation S-P, which safeguards consumer financial information through written privacy policies, proper data disposal practices and opt-out rights. However, following new amendments made to the rule on May 15, 2024, regarding protections for personal customer information collected by financial firms, covered companies are now under pressure to meet the compliance deadline of June 3, 2026, with some larger companies required to meet a more aggressive compliance deadline of December 3, 2025. This article sets out the specifics of the new requirements, what they mean for businesses and key next steps for navigating this important change to the regulatory landscape.
Safeguarding Consumer Information
In recent years, there have been significant shifts in how financial institutions obtain, share and maintain their customers’ personal information. These changes, while delivering greater flexibility, also have the potential to increase risks to individuals and their data. As a result, the financial services sector is a key focus for threat actors, as highlighted in Kroll’s 2025 Data Breach Outlook. In response to these developments, on May 15, 2024, the Securities and Exchange Commission (SEC) announced the adoption of amendments aimed at advancing and enhancing the protection of consumer financial information. To achieve this, they broaden the scope of information covered by Regulation S-P’s requirements. The amendments apply to broker dealers, investment companies, SEC-registered investment advisers (RIAs), funding portals and transfer agents registered with the SEC or another appropriate regulatory agency.
Larger entities, RIAs with more than $1.5 billion in assets under management or registered investment companies with net assets of greater than $1billion, must have already achieved compliance by December 3, 2025. Smaller entities now have to act fast to ensure they meet their compliance date of June 3, 2026. The consequences for failing to comply may be enforcement actions, liability risk and reputational harm.
Understanding the New Requirements
In addition to several clarifications surrounding the current provisions of Regulation S-P, four new requirements stem from these latest amendments: Incident Response Program, Customer Notification, Service Provider Due Diligence and Recordkeeping. Below, we outline key points for each requirement.
- Incident Response Program
Advisers are required to develop and maintain written policies and procedures surrounding detection, response and recovery from unauthorized access to customer information. While firms are likely to have an incident response plan in place, they will have to clarify that process and convey to their clients how they will communicate with them in the event of a cybersecurity incident, for example, will they receive an email within 24 hours or be contacted by phone instead? This has the potential to create more demands on your team’s expertise and time, as well as exposing any gaps in your organization’s knowledge.
- Customer Notification
Building on the requirement above, advisers must adopt procedures to ensure that affected customers are notified promptly. Firms will have to identify and select a person within the organization to be responsible for this, a process that is likely to create additional demands on time and resources.
- Service Provider Due Diligence
This requirement is one of the more onerous changes to the Regulation as it concerns advisers’ relationships with their service providers. Under the changes to the Regulation, advisers must establish, maintain and enforce policies to ensure that their third-party service providers are taking the appropriate measures to prevent and monitor incidents of unauthorized access to customer personal information. Firms will have to assess all their service providers to make sure that they meet the requirements. The larger the firm and the more complex the web of third parties they rely on, the more they will have to coordinate all activities. This has the potential to be complex and time-consuming, adding further complexity to third-party relationships.
- Recordkeeping and Annual Notice
The new requirements set out that additional books and records must be maintained by advisers. These include customer information disposal practices, records of incidents and responses taken and service provider agreements relating to the identified requirements. Because firms should already be doing this, it shouldn’t be too much of a burden. However, if they aren’t, or if there are gaps in their approach, they will need to address this.
Under the amendments, the existing annual privacy notice delivery provisions provide an exception to the requirement to conform with the Consumer Finance Protection Bureau’s Regulation P. This means that a covered institution does not have to deliver an annual privacy notice if it only provides non-public personal information to non-affiliated third parties when an exception to third-party opt-out applies and it has not changed its policies and practices around disclosing non-public personal information from its most recent disclosure sent to customers.
Ensuring Reg S-P Readiness: Next Steps
With the Regulation S-P compliance date just a few months away, firms will benefit from taking strategic action as soon as they can. We recommend the following next steps:
- Assess Your Incident Response Plan
Ensure that your incident response plans are fully up to date and aligned with the requirements and the current security status of your firm.
- Review Your Policies
Complete a comprehensive review of your current customer information policies and the third-party service providers that may be affected by them. One approach to achieving this is to create a dedicated task force or group within the firm.
- Update Your Employees
While an internal task force can be valuable, do not overlook the importance of broader organizational knowledge. Make sure that all relevant employees are fully aware of the upcoming changes and that they are given training and support on all the regulation updates.
- Gain Expert Support and Insight
Working with a partner organization experienced in both regulatory compliance and cybersecurity can help to accelerate the compliance process and ensure the quality of processes and systems. Verify that your prospective partner has a proven track record of working with financial institutions and that they fully understand the complexities of today’s security and regulatory landscape.
Achieve Regulation S-P Compliance with Kroll
As trusted partners to leading financial institutions around the world, Kroll’s cybersecurity and compliance consulting teams are highly attuned to SEC regulatory developments and ideally positioned to support your organization, wherever it is on the journey toward Regulation S-P compliance.
Our expertise spans the full range of the regulation’s new requirements, from the development of governance documentation, including cybersecurity policies, standards and incident response plans, to delivering breach notifications and completion of incident readiness exercises to simulate response. Our combined regulatory and security track record provides the breadth of insight needed to review existing policies and procedures and tailor them to meet the new Regulation S-P requirements.
Our end-to-end expertise means we can deliver a wide range of technical assessments, including penetration testing, threat detection assessments, cloud security assessments and SaaS security assessments. We are highly experienced at implementing and managing service provider due diligence associated with cybersecurity and delivering elite incident response and digital forensics services to contain and eradicate malicious activity, followed by post-incident remediation and recovery.
Discover our Financial Services and Compliance Regulation SupportDiscover our Cybersecurity Services
