top of page

Preparing For the New Reg S-P Rules

The Securities and Exchange Commission has quietly done something very loud.


With its 2024 amendments to Regulation S-P, the SEC has turned what used to be a fairly high-level privacy rule into a detailed playbook for how financial firms must prepare for, detect, respond to, and document cybersecurity incidents. The changes touch incident response, vendor oversight, record keeping, and breach notification timelines in ways that many covered firms are still digesting.


For Roark Tech Services clients, the message is clear: this is no longer just about having “good security.” It is about having provable, documented, and repeatable security practices that stand up to regulators, examiners, and, if things go badly, plaintiffs’ counsel.


WHAT CHANGED: A Modern Reg S-P in Four Pillars

The SEC’s 2024 amendments modernize Reg S-P in four main ways:


  1. Expanded scope of covered information and institutions

  2. Mandatory written incident response programs

  3. Tightened breach notification timelines and content requirements

  4. Stronger service provider oversight and record keeping obligation


Who is covered


ree

The amended rule applies broadly to:


  • Broker-dealers (including funding portals)

  • Registered investment advisers

  • Registered investment companies

  • Transfer agents registered with the SEC or federal banking regulators


The definition of “customer information” now sweeps in any record containing nonpublic personal information about a customer, whether the institution collected it itself or received it from another financial institution. In other words: if you handle nonpublic personal information about individuals in a financial context, Reg S-P likely applies, directly or indirectly.


Key compliance dates

ree

  • Rule effective date: August 2, 2024

  • Large entities must comply by December 3, 2025

  • Smaller entities (as defined by the SEC) must comply by June 3, 2026


For many firms, that means the clock is already ticking loudly.

PILLAR 1: Incident Response Is Now Explicitly Required

Under the amended Reg S-P, covered institutions must adopt a written incident response program as part of their safeguards policies.


That program must be reasonably designed to:

  • Detect unauthorized access to or use of customer information

  • Respond to such incidents

  • Recover from them in a structured, documented way


At a minimum, the program must include procedures to:

  • Assess the nature and scope of an incident

  • Contain and control the incident to prevent further unauthorized access or use

  • Remediate vulnerabilities that allowed the incident

  • Escalate and document key decisions along the way


This pushes firms beyond vague “we take security seriously” statements and into concrete, testable plans. If your plan lives only in a binder, or worse, in someone’s head, you are not where the SEC expects you to be.


PILLAR 2: 30-Day Breach Notification to Individuals

The amendments introduce a federal baseline for individual breach notification. Covered institutions must notify affected individuals “as soon as practicable,” but no later than 30 days after becoming aware that unauthorized access to or use of sensitive customer information has occurred or is reasonably likely to have occurred, unless they determine after a reasonable investigation that the data is not likely to be used in a way that causes substantial harm or inconvenience.


Notices must be:


  • Clear and conspicuous

  • Delivered by a method reasonably designed to reach the individual in writing

  • Substantive, describing the incident, the data involved, and steps individuals can take to protect themselves



ree

There are limited exceptions (for example, in certain national security or public safety scenarios), but for most firms the takeaway is simple:


  1. Your incident response program must be designed to reach a 30-day notification decision point.


  2. This also needs to harmonize with state breach laws, many of which now set similar or shorter deadlines.


PILLAR 3: Service Provider Oversight and 72-Hour Notice

The SEC has made it clear that vendor risk is not optional.


Under the amended Reg S-P, covered institutions must maintain written policies and procedures that:


ree

  • Provide for due diligence and ongoing monitoring of service providers’ safeguarding of customer information

  • Are reasonably designed to ensure service providers take appropriate measures to protect that information

  • Require service providers to notify the covered institution as soon as possible, and no later than 72 hours, after discovering a breach involving customer information systems they maintain


The rule does not mandate specific contract language, but in practice, firms will need to align their services agreements with these expectations. Without contractual rights and reporting obligations, compliance becomes very difficult to demonstrate.


PILLAR 4: Record keeping and Data Disposal

The amendments significantly expand record keeping obligations.


Covered institutions must maintain written records that document:


ree

  • Safeguards policies and procedures, including the incident response program

  • Any detected unauthorized access to or use of customer information and the response to it

  • Any investigation into whether notification was required, including the basis for the decision and copies of notices sent

  • Policies and procedures for vendor oversight

  • Contracts or agreements with service providers entered into under the amended rule

  • Policies and procedures addressing proper disposal of customer and consumer information

  • Retention periods align with existing books-and-records rules for each type of covered institution.


The practical takeaway: it’s no longer enough to do these things. Increasingly, you must be able to prove you did them, years later, with a clear audit trail.


WHAT THIS MEANS IN PRACTICE

For many firms, the amended Reg S-P will require:


  • Updating or drafting incident response plans that account for 30-day individual notification

  • Building clear workflows between IT, compliance, legal, and business leadership

  • Updating vendor due-diligence questionnaires, contracts, and monitoring practices

  • Implementing or enhancing logging, monitoring, and ticketing systems to support investigations and record keeping

  • Training staff on new escalation and communication procedures


This is where Roark Tech Services comes in.


HOW ROARK IS PREPARED AND HOW WE HELP CLIENTS PREPARE

Roark Tech Services already operates with a controls framework that aligns with SOC 2 Type 2, NIST, and HIPAA security principles. That means many of the elements Reg S-P now mandates, safeguards, incident response, vendor oversight, data disposal, and detailed documentation, are already embedded in how we design, operate, and monitor client environments.


Here is how we translate that into concrete support for firms subject to Reg S-P:

ree

PRACTICAL NEXT STEPS


The amended Reg S-P is more than a privacy update. It is a signal from the SEC that data protection and breach response are now core supervisory expectations for financial institutions, not optional enhancements.

ree

For firms that already take security and governance seriously, the path to compliance is manageable, but it still requires focused work, coordination with vendors, and disciplined documentation. For firms that have delayed formalizing incident response or vendor oversight, this is the moment to catch up.


Roark Tech Services stands ready to:


  • Assess where you stand

  • Design and implement the controls and documentation regulators now expect

  • Integrate Reg S-P compliance into a broader, risk-managed technology strategy

  • This post is not legal advice, and your counsel should remain at the table.


But when it comes to the technology, the workflows, and the discipline needed to meet these new obligations, Roark can be your partner from design through execution.


If your firm is covered under Reg S-P, or relies on vendors who are, it is time to ensure your safeguards, incident response, vendor oversight, and record keeping are not just “good,” but regulator-ready.

Founded in 1998, Roark Tech Services is a boutique firm dedicated exclusively to supporting small businesses with expert IT solutions. If your business wants to ensure readiness for Reg S-P, we’re here to help you.


At Roark Tech Services, we provide White Glove personalized technology services, delivering tailored, fit-for-purpose solutions designed to meet your unique needs.


If you don’t have a trusted IT partner for reliable support and strategic guidance, we’d love to help.


bottom of page