Effective Date: August 2, 2024
Compliance Deadline: December 3, 2025 (larger entities); June 3, 2026 (smaller entities)
Applies To: SEC-registered investment advisers, broker-dealers, investment companies, and transfer agents
The SEC has officially adopted sweeping amendments to Regulation S-P — the primary federal privacy and safeguards rule under the Gramm-Leach-Bliley Act (GLBA). While Regulation S-P has existed since 2000, the 2024 amendments modernize it to address today’s cybersecurity risks, requiring firms to go far beyond simply having an “information security policy.”
This briefing summarizes what changed, why it matters, and what a firm needs to have in place. The full rule and the SEC’s fact sheet are available on the SEC’s website.
What Changed
1. Maintain a Written Incident Response Program
Firms must implement a documented program that addresses:
- Assessing and documenting the nature and scope of an incident
- Containing and controlling the event
- Determining whether notification to affected individuals is required
- Reviewing and updating safeguards following an incident
This is the operational core of the amended rule. A firm without a written, workable incident response program is no longer compliant.
2. Provide Direct Customer Notification (30-Day Requirement)
If unauthorized access to sensitive customer information is confirmed, firms must provide notice without unreasonable delay and no later than 30 days. The notice must include prescribed content — what happened, the categories of information involved, steps taken by the firm, and steps individuals can take — and must be delivered using a method reasonably designed to reach the individual. Firms must maintain documentation of both the determination and the notice itself.
3. Strengthen Service-Provider Oversight
The amendments require enhanced oversight of service providers, including contractual obligations to maintain appropriate safeguards, notify the firm of security incidents promptly, provide information needed for the firm to meet its 30-day notification obligation, and cooperate with containment, investigation, and remediation. The standard the SEC sets is notification as soon as possible, but no later than 72 hours after the service provider becomes aware of a covered breach. For many firms, this means existing MSP and vendor contracts need to be amended.
4. Updated Definition of “Sensitive Customer Information”
The rule expands and clarifies the definition to specifically include Social Security numbers and other government identifiers, account numbers, authentication credentials such as access codes or passwords, and biometric identifiers.
5. Enhanced Recordkeeping Requirements (Five Years)
Firms must maintain for not less than five years: incident records and investigation documentation, customer notification drafts and delivery confirmations, vendor breach notifications and related communications, relevant training logs and attestations, and records used in the firm’s annual review under Rule 206(4)-7.
How This Connects to the Rest of Your Compliance Program
The amended Reg S-P does not stand alone. Its incident records, vendor oversight artifacts, and testing results feed directly into the Rule 206(4)-7 annual review. Its definitions of sensitive customer information should align with the firm’s data classification and DLP scope. Its recordkeeping obligations sit inside the Rule 204-2 framework. And its incident response expectations overlap with the cyber-specific red flags a firm should already be maintaining under Regulation S-ID. Treating these as one connected program — rather than four separate documents — is what produces a defensible posture on exam day.
The Practical Takeaway
The 2024 amendments represent the first major modernization of the Safeguards Rule in two decades, and they move Reg S-P from “have a policy” to “operate a program and prove it works.” The firms that fare best will have a written incident response program that can actually meet the 30-day clock, vendor contracts updated to the 72-hour standard, a data classification scheme aligned to the expanded definition of sensitive customer information, and a recordkeeping discipline that retains the right artifacts for five years. If your program does not yet do these things, the compliance deadline is the forcing function to close the gap.
The smaller-entity compliance date is June 3, 2026. If your incident response program, vendor contracts, and recordkeeping are not yet aligned to the amended rule, a Reg S-P readiness review will show you exactly what is missing. That review is part of the work we do.