Regulation S-P Is Growing Up. What Financial Services Leaders Need to Know Now

For many in financial services, Regulation S-P has long felt like a background rule. Important, but static. Privacy notice language to update annually. A check-the-box exercise that sat comfortably alongside the Gramm-Leach-Bliley Act (GLBA) and state breach laws.

That era is over.

With the SEC’s latest amendments, Reg S-P has moved firmly into the center of the cybersecurity, privacy, and governance conversation. Broker-dealers, investment advisers, and funds, this is no longer a narrow privacy exercise. It is a comprehensive data and technology risk mandate.

In this post, we will unpack what has changed, why it is changing now, and what CISOs, CPOs, and compliance leaders need to prioritize.

Why Reg S-P now? The context has shifted.

Reg S-P was adopted in 2000. At that time, the financial services ecosystem looked nothing like it does today.

Today, we have:

• Thousands of entities in scope. Roughly 3,340 broker-dealers, representing 6.4 trillion dollars in assets and nearly 22,000 SEC-registered investment advisers. When you include investment companies and transfer agents, at least 25,000 firms fall under Reg S-P.
• Highly interconnected markets. A complex web of broker-dealers, advisers, market utilities, and third-party providers moves trillions of dollars in securities transactions.
• A dramatically expanded attack surface. Cloud, SaaS, global outsourcing, and the rise of AI have magnified cyber and data exposure at every node in that web.
  

Against that backdrop, the SEC stepped back and asked a simple question. Is the 25-year-old privacy and safeguards rule fit for a world of persistent cyberattacks, sophisticated threat actors, and sprawling vendor ecosystems? The answer was “no,” and the amendments reflect that reality.

Cybersecurity as an existential risk. Not an IT issue

The SEC now treats cybersecurity and data protection as existential issues for market stability. Reg S-P is one pillar in a broader framework that includes:

• Rules focused on system reliability and operational resilience.
• Public company disclosure rules around material cyber incidents.
• Growing expectations for board-level oversight of technology and data risk.
  

In practice, that means Reg S-P is no longer viewed as a legal or privacy sidecar. It is part of a broader expectation that firms will implement enterprise risk management, governance, and incident response capabilities that cut across the organization.

The biggest misunderstandings about Reg S-P

Many organizations still fall into one or more of these traps.

1. “This is just a privacy rule, similar to GLBA.”
   
   The updated Reg S-P remains aligned with the GLBA conceptually. It is about protecting personal information tied to financial relationships. However, it now goes further in specifying governance, incident response, notification, and vendor obligations.
   
2. “Safeguarding expectations have not really changed.”
   
   That view is outdated. Reasonable safeguards now mean risk-based controls that span your environment and your supply chain. They must be documented, tested, and continuously updated.
   
3. “This is isolated from cybersecurity.”
   
   In reality, Reg S-P sits at the intersection of data privacy and cybersecurity. To comply, firms need an integrated approach to access management, monitoring, vendor oversight, and response.
   

Key new requirements you cannot ignore

While the amendments are detailed, several themes stand out.

1. Mandatory customer breach notification with defined timelines

Regulated entities must notify customers without unreasonable delay after determining that unauthorized access to sensitive customer information has occurred and is likely to result in substantial harm. This is not a nice-to-have capability. This requirement will be scrutinized.

2. Expanded scope of customer information

The rule continues to focus on personally identifiable information. Think names, account numbers, Social Security numbers, and financial details. But the expectation is much more explicit about identifying and tracking where this information lives across your systems and suppliers.

3. Stronger vendor and service provider oversight

You can outsource operations. You cannot outsource risk. Reg S-P now makes clear that firms must:

• Identify which service providers have access to customer information.
• Include breach notification obligations in contracts.
• Treat vendor incidents as part of their own risk posture and incident response playbook.
  

Given that a large share of modern data breaches originates in the supply chain, this is not theoretical.

Why this matters for CISOs, CPOs, and compliance leaders

High-performing firms are not treating Reg S-P as a siloed privacy project. Instead, they are building integrated teams and playbooks across:

• CISOs and technology leaders. Responsible for access controls, logging, monitoring, and technical safeguards.
• Chief Privacy Officers. Responsible for data classification, privacy notices, and risk assessments.
• Compliance and legal. Responsible for interpreting regulatory obligations, documentation, and engagement with regulators.
• Enterprise risk management and the board. Responsible for governance, prioritization, and capital allocation.
  

The rule expects evidence-based compliance. That means policies that reflect actual day-to-day practices, logs and documentation that demonstrate the use of controls, and regular exercises that refine responses.

The Takeaway

Reg S-P is not a new concept. But in 2025 and beyond, its implications are far-reaching.

If you are responsible for privacy, security, or compliance at a broker-dealer, investment adviser, fund, or related entity, this is the moment to:

• Re-evaluate your incident response playbook.
• Assess vendor contracts and notification clauses.
• Ensure that governance, risk, and technology teams are working from a shared map of your data and obligations.
  

Common sense and good blocking and tackling still matter. Knowing what data you have, where it lives, who can access it, and how you respond when something goes wrong. The difference now is that the SEC expects you to be able to prove it.