How to Right-Size Your Cybersecurity Program Under the New Reg S-P Amendments

The compliance deadline for the Securities and Exchange Commission's amended Regulation S-P is fast approaching, requiring financial institutions to meet new safeguards for customer data privacy and incident response.

With the updated Regulation S-P (Safeguards Rule) finalized in May 2024, many advisers are working through how to build a practical, scalable cybersecurity program that meets the new requirements without overengineering the solution.

What the amended rule actually requires

Compliance dates:

• Firms ≥ $1.5B AUM: December 3, 2025

• Firms < $1.5B AUM: June 3, 2026

Core requirements:

1. Written Policies & Procedures – Administrative, technical, and physical safeguards to protect customer information

2. Incident Response Program – Detect, respond to, and recover from unauthorized access or use

3. Vendor Oversight – Ensure service providers safeguard customer information and notify you within 72 hours of a breach

4. Breach Notification to Individuals – Within 30 days if sensitive customer information is accessed (unless you determine there's no likelihood of substantial harm)

5. Recordkeeping – Documentation of compliance decisions, incidents, investigations, and notifications

6. Proper Disposal Controls – For customer information and records

7. Form ADV Reporting – Continue reporting cybersecurity risks and incidents annually

What's NOT in the final rule:

The final rule is significantly more reasonable than the 2023 proposal. Here's what was removed:

• 48-hour SEC reporting

• Prescriptive technical control mandates (e.g., required MFA or EDR)

• Board oversight requirements

• Specific cybersecurity governance structures

These were in the withdrawn proposal — they are not law.

A practical approach to building your program

Focus on these five steps:

1. Risk assessment -  Build a process of identifying, analyzing, and evaluating potential threats and vulnerabilities to your organization’s security to determine the likelihood and impact of a security breach.

2. Written policies – Cover the seven requirements, but make them match what you actually do. A 10-page policy backed up with evidence that your infrastructure and endpoints are compliant beats a 50-page policy you don't comply with.

3. Incident response plan – Who notices something's wrong? Who gets notified? What happens next? When do we notify clients?

4. Vendor management – Identify which vendors actually access customer information. Ensure contracts require 72-hour breach notification. Review their security practices annually.

5. Document your decisions – Keep a simple set of cybersecurity program documentation including the above items, that is updated on an annual basis. The SEC wants to see thoughtful decision-making, not perfection.

Right-size to your firm

A solo adviser and a 50-person firm will have very different programs. A 50-person firm and a 500-person firm will also have very different programs. That's all appropriate and acceptable. The SEC has explicitly stated they expect programs scaled to firm size and complexity.

What matters: You understand your risk, you've implemented reasonable safeguards, you have a plan for incidents, and you can show your work.

The key is building a program that's proportional to your firm's size, complexity, and actual risk profile.