Financial regulators including the Securities and Exchange Commission (“SEC”) continued to focus on data protection and cybersecurity issues throughout 2025. With the amendments to the Safeguards Rule and Disposal Rule of Regulation S-P officially taking effect, the SEC is continuing to assert a more prominent role in data protection, a trend that will undoubtedly continue and likely expand throughout 2026.

While 2025 saw the SEC revoke the proposed cybersecurity risk management rules for investment advisers and other entities, the SEC went full steam ahead with respect to implementing the amendments to Regulation S-P. Though regulated entities waited with bated breath for a similar revocation or at a least delay in implementation of the Regulation S-P amendments, the SEC granted no such holiday reprieve, instead scheduling a series of three “compliance outreach” sessions, two of which have already been held as of December 17. As discussed further in prior Ropes & Gray alerts, the Regulation S-P updates apply to broker dealers, registered investment companies, business development companies, and registered investment advisers and required significant updates in each of the following areas.

Written Cybersecurity Policies

Although a handful of states require implementation of written information security policies, including, notably, the Massachusetts cybersecurity regulations, many U.S. laws and regulations simply speak of “reasonable security measures.” The amended Regulation S-P aligned itself firmly with the former category of laws and regulations, requiring covered institutions to implement and maintain written policies and procedures that are reasonably designed to ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of customer information; and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

What’s more, it was previously commonplace for a registered investment adviser to take the position that its only “customers” were the private funds it advises, and as such the adviser had no natural person “customers” or “consumers” for purposes of, and would not be subject to, Regulation S-P. However, the broadened scope of the definition of “customer information” closed this loophole. Customer information now includes not only nonpublic personal information about a covered institution’s own customers, but also nonpublic personal information about customers of other financial institutions where such information is provided to the covered institution. Thus, the new definition captures customer information of private fund limited partners who are natural persons that an investment adviser possesses, handles or maintains on behalf of a private fund it advises, and the adviser must have written cybersecurity policies and procedures to protect such information.

Incident Response and Customer Notification

As part of a covered institution’s written information security policies, the amended Safeguards Rule requires a program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures. Such a response program must specifically enable the covered institution to assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization; take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; and notify each affected individual whose “sensitive customer information” was, or is reasonably likely to have been, accessed or used without authorization, subject to certain exceptions discussed below. Thus, while the written cybersecurity, incident response, oversight of service providers, and disposal policies and procedures required under Regulation S-P apply broadly to customer information, the breach notification element is triggered by a narrower set of “sensitive customer information,” defined as any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.

Joining the fray of the 54 state data breach notification laws, which contain various timeframes for alerting individuals and regulators of a data breach, generally ranging from 30-60 days, Regulation S-P now obligates a covered institution to notify affected individuals within 30 days of becoming aware of an incident involving unauthorized access to or use of sensitive customer information. However, among other exceptions, notice is not required where the covered institution can determine, after a reasonable investigation of the facts and circumstances of the incident that occurred at the covered institution or one of its service providers that is not itself a covered institution, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. While a somewhat amorphous standard, the SEC expands upon this risk of harm analysis in the adopting release for the Regulation S-P amendments, advising that although the determination regarding substantial harm or inconvenience depends on the particular facts and circumstances surrounding an incident, it may include personal injury, financial loss, expenditure of effort, or loss of time. The SEC offers the examples of theft, fraud, harassment, physical harm, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the misuse of information identified with an individual to obtain a financial product or service, or to access, log into, effect a transaction in, or otherwise misuse the individual’s account. Like some state data breach notification laws, Regulation S-P sets forth specific elements that must be included in the notice to affected individuals. From a practical standpoint, covered institutions can send one notice to affected individuals in the wake of a data breach that addresses the requirements of all applicable laws, including state data breach notification laws, Regulation S-P, and the EU or UK General Data Protection Regulation.

Notably, Regulation S-P sets forth a rebuttable presumption requiring notice. Covered institutions should also be prepared to justify their decision-making regarding notice, as Reg S-P requires that where a covered institution determines notice is not needed, the covered institution must maintain a record of the investigation and the basis for its determination.

Service Provider Oversight

The prize for the Regulation S-P update that gave covered institutions the most heartburn in 2025 likely goes to the new service provider requirements. Pursuant to this aspect of the rule, covered institutions must establish written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers, and to ensure that service providers take appropriate measures to protect against unauthorized access to or use of customer information and notify the covered institution as soon as possible but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.

The amendments require notification to a covered institution if there is a breach that results in “unauthorized access to a customer information system maintained by the service provider.” This is a broader set of customer information than “sensitive customer information” that can trigger a covered institution’s obligation to notify affected individuals. The adopting release notes that this broader scope is consistent with the fact that a covered institution’s incident response program must be reasonably designed to “address any incident involving customer information – not merely those involving sensitive customer information – and also account for the identification of affected customer information systems in addition to the types of customer information that may have been accessed or used without authorization.” (Emphasis in original).

Throughout 2025, covered institutions undertook the exercise of first identifying those service providers that receive access to customer information. Given that Regulation S-P is limited to natural persons investing for personal, family, or household purposes, this excludes information about institutional investors or beneficial owners thereof. Once this universe of service providers was identified, covered institutions then went out to those vendors, seeking to formally amend existing agreements to account for the Reg S-P requirements, particularly the 72-hour notice, or at the very least obtain assurances that the vendor would protect customer information and alert the covered institution within 72 hours of a breach impacting such information. Although the SEC dropped the requirement for a written contract addressing these points with vendors from the final draft of the Reg S-P amendments, practically speaking, obtaining such assurances via a formal contract or amendment is preferred, though organizations can gain sufficient comfort by reviewing vendors’ policies and procedures as a backup, depending on the breadth, depth, and content of such policies. Moving forward into 2026 and beyond, standard Regulation S-P language should be added to relevant service provider agreements at the outset of the engagement.

While the 72-hour notice requirement is frequently seen as the most prominent aspect of the Reg S-P vendor provisions, organizations should not forget about the due diligence and monitoring of their vendors. Considering factors such as the criticality of the vendor and the sensitivity of the information they will receive, diligence should be conducted prior to the engagement and at least annually thereafter. Such diligence can take many forms, including but not limited to questionnaires on security and privacy practices, preferably using industry-standard question sets, with review of the responses and follow-up as needed; review of industry-standard attestations, certifications, and other independent assessments of security and privacy practices; review of the third party’s information security program documentation and evidence of performance; internet security posture monitoring where available; and on-site or remote inspections, for most sensitive high-risk third party relationships.

Disposal Requirements

Last but not least, the amended Disposal Rule requires covered institutions to adopt and implement written policies and procedures that address the proper disposal of customer information and “consumer information” (the latter is a new term to replace “consumer report information” within the existing disposal rule) according to a standard of taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. While not requiring a specific retention period, Reg S-P does mandate that once the information is no longer needed for any legitimate business purpose, it must be disposed of securely. Such disposal requirements extend not only to the information itself, e.g., in any hard copies, but also to the sale, donation, or transfer of any medium, including computer equipment, on which consumer information or customer information is stored. Organizations should ensure there are shredders or shredding bins available and that any electronic media are properly wiped, which covered institutions can engage vendors to assist with or complete on their behalf.  

Looking ahead to 2026, now that the ink is dry on the policy revisions, at least for the first tranche of institutions subject to the December 2025 compliance date, next steps include translating prescriptive rules into operational controls, ensuring board and senior management visibility, and evidencing readiness including through revised policies, service provider contract updates or other assurances, and incident response tabletop exercises. Firms that operationalize now will be better positioned for exams and enforcement risk as amended Regulation S‑P becomes a day‑to‑day supervisory baseline.