In a speech, the Acting Director of the U.S. Securities and Exchange Commission’s Division of Examinations set out how examination staff will operationalize and assess firms’ implementation of the Commission’s recently adopted enhancements to Regulation S-P. The amendments expand the rule’s applicability to additional financial institutions, modernize safeguards and disposal requirements for customer information, and add requirements to provide timely and consistent notifications to customers following unauthorized access to or use of their information. The Division highlighted three areas firms will need to adopt and be prepared to evidence in examinations: a written incident response program under the Safeguards Rule that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including procedures to assess incidents and contain and control them; a customer notification requirement to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, generally as soon as practicable and no later than 30 days after the firm becomes aware; and new requirements to establish, maintain, and enforce written policies and procedures for oversight of third-party service providers, including due diligence and monitoring, to help ensure required notices are delivered. Ahead of the amendments’ two compliance dates, staff plans a series of three outreach events with the Divisions of Investment Management and Trading and Markets, and examiners may ask registrants about implementation progress to inform the Commission’s understanding of sector readiness rather than to cite pre-effective-date noncompliance. The Division may communicate anonymized cross-sector observations through a Risk Alert or other publication, and indicated the updated Regulation S-P could become a thematic examination initiative in coming fiscal years; if the Commission extends the compliance dates, the Division said it would adjust its timeline accordingly.
U.S. Securities & Exchange Commission 2025-05-14
U.S. Securities and Exchange Commission outlines examinations readiness plan for enhanced Regulation S-P safeguards and breach notifications
The Acting Director of the U.S. SEC’s Division of Examinations outlined staff assessments of firms' enhancements to Regulation S-P. Key areas include a written incident response program, customer notification requirements, and oversight of third-party service providers. The Division plans outreach events and may issue a Risk Alert on sector readiness, with potential thematic examinations in future fiscal years.