Regulation S-P Amendments: What Financial Institutions and Their Service Providers Need to Know and Actions to Take

The SEC has issued significant updates to Regulation S-P that expand data protection obligations for financial institutions and their vendors. These new requirements don’t just affect policies—they create contractual obligations that many firms have not faced before.

If you handle or manage sensitive information—or work with third parties who do—you need to review your agreements and processes now to avoid compliance gaps. The deadlines for compliance are not far off.  Revising policies and renegotiating contracts can take time, especially across multiple vendors.

Who Must Comply and by When

The amended Regulation S-P applies to “Covered Institutions” which include the following:

• Broker-dealers and funding portals

• Investment companies

• Registered investment advisers

• Transfer agents registered with the SEC or another regulator

Deadlines:

• Larger Covered Institutions (meeting certain size or activity thresholds) must comply by December 3, 2025.

• Smaller Covered Institutions must comply by June 3, 2026.

Key Requirements of the Amended Regulation

Here’s what Covered Institutions need to have in place under the amended regulation:

1. Expanded Scope of Protected Information

Prior to these Amendments, protected information under Regulation S-P was a Covered Institution’s own customer records and information. This applied only to those individuals/entities with whom the institution had an active relationship, and only those types of information defined as nonpublic personal information.

The amended regulation introduces a new defined term, “Customer Information,” which applies to a broader range of data:

• Any record containing non-public personal information about a “customer” of a financial institution, in whatever form (paper, electronic, or other).

• Includes information of those the institution does not have a direct relationship with, such as information received from other financial institutions about their own customers or former clients/individuals.

• Applies to former clients / persons whose relationship has ended, if their information remains in the institution’s control, handled, or maintained.

• “Sensitive Customer Information,” such as Social Security Numbers or biometric records, that could be misused to cause financial, reputational, or operational harm if exposed.

2. Vendor Oversight and Third-Party Risk Management

Covered Institutions must take proactive steps to oversee vendors that handle Customer Information:

This includes:

• Performing initial and ongoing due diligence

• Ongoing monitoring of their data protection practices with respect to Customer Information

• Ensuring contracts require vendors to notify you of any breach within 72 hours of discovery

Note: Even if the vendor provides the direct notification of a breach, ultimate responsibility for compliance rests with the Covered Institution.

3. Incident Response Program

Every Covered Institution must have a written incident response plan designed to detect, respond to, and recover from any unauthorized access to or use of Customer Information.

The plan must:

• Identify the nature and scope of an incident

• Contain and control the situation to prevent further harm

• Include ongoing oversight of vendors or other third parties who have access to sensitive data

4. Notification Requirements

If unauthorized access to Customer Information has occurred—or is reasonably likely to have occurred—you must:

• Notify affected individuals or entities as soon as practicable, but no later than 30 days after becoming aware of the incident.

• Document your investigation and conclusions, even if you determine notification is not required.

• Include specific details in the notice, such as what data was impacted, when it occurred, and how to reach your organization for support.

Exception: If, after a reasonable investigation, you determine there’s no reasonable risk of substantial harm or inconvenience, notification may not be required—but you must keep clear records of your decision.

5. Recordkeeping

You must maintain detailed records of:

• All policies and procedures related to safeguards, disposal of data, incident response, and vendor oversight

• Every incident of unauthorized access, including how it was addressed and what steps were taken to recover

• Any decision not to provide notifications, with supporting documentation

The retention period varies depending on the type and size of Covered Institution.

What to Review in Your Existing Agreements

Covered Institutions must carefully review their vendor contracts to confirm they contain the right protection terms. Contracts must include:

• A breach notification requirement obligating vendors to alert you within 72 hours of discovering any unauthorized access

• A requirement for the vendor to implement and maintain a comprehensive information security policy, and your right to review or request that policy at any time

• Audit and diligence rights, such as access to certifications (e.g., SOC 2 Type II reports), independent assessments, and regular attestations

• Provisions clarifying roles and responsibilities if a vendor will assist with notifications to affected individuals or entities, while ensuring you retain final control and accountability

Why this Matters Now

Failing to act ahead of the compliance deadlines creates significant risks:

• Regulatory enforcement actions and potential fines

• Reputational harm if there’s a breach and gaps are revealed publicly

• Operational disruption, especially if vendor contracts need to be renegotiated under tight timelines

How Quadrangle Can Help

Quadrangle helps Covered Institutions prepare for regulatory changes like the Regulation S-P amendments. Our team can:

• Review existing vendor contracts to identify gaps under the new requirements

• Provide standardized contract language to ensure consistency across vendor relationships

  
  

• Manage the process of renegotiating agreements to include breach notification provisions, information security protections, and audit rights

By starting now, you’ll have time to address gaps methodically and avoid a rushed scramble as deadlines approach.

Contact us to schedule a discussion with our legal subject matter experts and a demo of our AI-powered technology solution.