Regulation S-P – Back To The Future, Keith Cassidy, Acting Director, SEC Division Of Examinations, Washington D.C., May 14, 2025

1. Introduction

Good afternoon, I’m pleased to join you today to discuss, the importance of, and the financial sector’s role in, information security and the protection of investors’ nonpublic personal information. Specifically, I am here to lay out the Division of Examinations approach to operationalizing the Commission’s recently adopted enhancements to Regulation S-P.

But before I begin, I must share the official statement that:

*This speech is provided in my official capacity as the Commission’s Acting Director of the Division of Examinations, but does not necessarily reflect the views of the Commission, the Commissioners, or other members of the staff.

2. Background

The Commission, and the Division of Examinations, has been focused on ensuring the security of customer information for over two decades. In 2000, acting under the authority of the Gramm-Leach-Bliley Act, the Commission adopted Regulation S-P[i] to help safeguard such information. The standards established by Regulation S-P require, among other things, covered institutions to (i) insure the security and confidentiality of customer records and information; (ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.[ii]

Since its adoption in 2000, the Division of Examinations—and its predecessor, the Office of Compliance Inspections and Examinations (OCIE) has examined registrants for compliance with the requirements of Regulation S-P. We have also been incredibly active in our efforts to promote awareness and strengthen compliance across the broader field of information technology controls, especially through our industry outreach and engagement, including issuing over a dozen risk alerts on information security topics, stretching back over a decade.[iii]

But the threat landscape has significantly changed in the last 25 years. In 2000, the vast majority of mobile phones were cellular phones, like the Nokia “brick” phone or flip phone. Today, about nine-in-ten U.S. adults own a smart phone. In 2000, you generally initiated a stock trade by either calling your broker or through the internet using a dial-up modem. Today, over 100 million people use investment apps. This includes 78% of investors aged 18-34.[iv] In 2000, cyberattacks were just starting to become a growing threat in the U.S. Today, Microsoft reports that its customers face 600 million cyberattacks on a daily basis.[v] The FBI reported in 2023 that its Internet Crime Complaint Center received over 880,000 complaints with potential losses exceeding $12.5 billion.[vi]

The advancement in technology and the increased threat landscape faced by retail investors highlights the need for the regulatory community to adapt to the changing environment. Although the trend toward digitization has increasingly turned the problem of safeguarding customer records and information into one of cybersecurity, this is not to say that this is exclusively a problem of cybersecurity.

3. Amendments to Regulation S-P

In response, last year the Commission completed a rulemaking process that revised and enhanced Regulation S-P. These amendments expanded the applicability of Regulation S-P to cover additional financial institutions, modernized the rules relating to safeguards and disposal of customer information, and helped ensure customers of covered institutions receive timely and consistent notifications in the event of unauthorized access to or use of their information.[vii]

4. Key Enhancements to Regulation S-P

There isn’t enough time today to cover all of the new enhancements and amendments, so I encourage everyone to review Regulation S-P in its entirety. You can access the amendments on the SEC’s website, along with several helpful fact sheets and summaries you may find useful.[viii] I wanted to highlight three of the enhancements that firms will need to assess and adopt: an incident response program, a new customer notification requirement, and requirements relating to third-party service providers.

1. 1. Incident Response Program

One of the key amendments to Reg SP concerns covered institutions’ incident response programs in their written policies and procedures under the Safeguards Rule.[ix] The program must be reasonably designed to detect, respond to, and recover from unauthorized access to, or use of, customer information.[x] It must include procedures to assess the nature and scope of any incident and require appropriate steps to contain and control incidents to prevent further unauthorized access or use.[xi]

1. 2. Customer Notification Requirement

The enhancements also require covered institutions to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.[xii] The rules also require, with limited exception, that firms notify customers as soon as practicable (but no later than 30 days), after the covered institution becomes aware that unauthorized access to, or use of, customer information has occurred (or is reasonably likely to have occurred).[xiii]

1. 3. Third-Party Service Providers

The amendments to the Safeguards Rule also include new provisions that address the use of third-party service providers by covered institutions. Covered institutions will now be required to establish, maintain, and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring of service providers, to ensure that affected individuals receive any required notices. In essence, this means that while covered institutions may outsource their operations, they may not outsource their ultimate obligation to comply with Regulation S-P.

5. Examinations Engagement and Outreach

So, what does all of this mean for the work of the Division of Examinations? As I mentioned, the SEC has focused on compliance risks relating to securing information technology for many years, with particular attention to market systems, customer data protection, disclosure of material cybersecurity risks and incidents, and compliance with legal and regulatory obligations under the federal securities laws.[xiv] We recognize that any regulatory adjustment can create a risk of implementation challenges and costs associated with compliance. Under the Division’s Pillar of promoting compliance, we want to take this opportunity to clearly articulate our approach to achieving our shared goal of improved information security through the implementation of the updated Regulation S-P.

In the coming months, staff in the Division of Examinations, in coordination with staff from the Divisions of Investment Management and Trading and Markets, will host a series of three tailored outreach events to help promote readiness and assist firms in their preparedness to implement these new amendments to Regulation S-P. Among other topics, we will cover basics about what to expect when interacting with an exam team during an examination where Regulation S-P is in scope, as well as having a broader discussion about our approach. Led by our tremendously talented staff in the Technology Controls Program, including technologists, industry experts, former CISOs, intelligence analysts, specialized contractors, attorneys, and examiners, these outreach events are designed to assist registrants in preparing for their respective compliance dates. We will publish additional details about these events in the near future, but I look forward to having Division staff share their expertise and engage in rich discussions with our registrants.

As the two compliance dates contained in the amendments approach, registrants should not be surprised if examiners inquire about their preparations to ensure compliance following the compliance date. These inquiries are not directed at citing registrants for potential non-compliance with requirements that are not yet in effect but are intended to inform the Commission of where registrants are in the process of implementation. Similar to our approach before the transition to the T+1 settlement cycle, the Division will conduct examinations to assist the Commission in understanding the level of readiness across the sector before the compliance dates. To the extent the staff identifies trends or risks relevant across the sector or within a specific registrant population, the Division could communicate these anonymized observations through a Risk Alert or some other publication to assist registrants in coming into compliance by their respective compliance dates.

Obviously, once the compliance date passes, the updated Regulation S-P could potentially be included as part of an examination for any registrant subject to its provisions, so we all have an interest in giving registrants every opportunity to be prepared. I understand there have been requests made to the Commission to extend the relevant compliance dates for the rule amendments.[xv] Should the Commission choose to extend the compliance date, the Division will adjust our timeline, as necessary, but our approach to promoting compliance with the new requirements will remain the same. With the Commission’s clear statement of the importance of this issue, registrants shouldn’t be surprised if Regulation S-P is the subject of a thematic initiative in the coming fiscal years. Certainly, throughout this process we will be working closely with our colleagues here at FINRA and with our registrants to encourage compliance. 

***

6. Conclusion

I want to thank our host FINRA and everyone here this afternoon for your time, attention, and interest in strengthening compliance and investor protection. I appreciate your commitment to safeguarding and protecting customers’ nonpublic personal information, as strong controls and safeguards benefit not only customers and investors, but also our financial institutions and markets generally.