S6:E5 | Are You Ready For Reg S-P? | Compliance in Context

Welcome back to the Compliance In Context podcast! On today’s show, we will be serving up everything you need to know about Regulation S-P and the upcoming compliance date for many firms—what are the new requirements, what are firms doing to prepare, and best practices on implementation.  To help guide us through the conversation, we are very pleased to welcome in Kristin Snyder and Charu Chandrasekhar from Debevoise Plimpton. In our Headlines section, we review the 2026 Examination Priorities from the SEC Division of Exams, and finally, we close up today with another installment of History Has Your Back, where we examine what an old quote from an NBA superstar can teach us about conducting annual compliance reviews and the compliance profession.

Show

Headlines

• Reviewing the 2026 SEC Examination Priorities

Interview with Kristin Snyder and Charu Chandrasekhar

• Overview of the Reg S-P Amendments
• What are some of the key considerations firm should consider when implementing the new requirements of Reg S-P into their policies and procedures?
• What are some best practices if firms decide to build in the relevant provisions of Reg S-P into other sections of the firm’s compliance manual?
• What about recordkeeping provisions? How does disposal impact other policies and procedures?
• How can firms properly establish vendor risk management in the wake of the new Reg S-P requirements?
• How are firms successfully navigating the 72-hour notification requirements?
• If you were starting a firm from scratch, what are some additional best practices firms should consider when developing their broader information security and cybersecurity framework?
• What can we expect from the exam staff coming out of the shutdown?
• What would we expect the SEC to do now that the rule is live?

History Has Your Back

• Quote from Giannis Antetokounmpo regarding success versus failure at work.

Quotes

09:00 – “So the amendments, which went into effect in May of 2024. And then as we've all noted, the compliance dates are coming up for large institutions on December 3rd and then for smaller institutions later in the year into 2026 in June. The amendment is actually required, and have brought to bear, a number of significant changes. At a very high level, they now require under the amended reg SP covered institutions and the covered institutions are defined to include broker-dealers, registered investment companies, registered investment advisors, funding portals, and transfer agents must now adopt a formal incident response program and have written policies and procedures that are reasonably designed to detect and respond to and recover from any unauthorized access to or use of customer information. There's a notification requirement that now exists if sensitive customer information was or was reasonably likely to have been accessed or used with that authorization. And I think that the notification provisions are really what's significant for firms, because that notification has to be made as soon as practicable, but no later than 30 days after the advisor becomes aware of a breach.” – Kristen

15:00 – “We've seen it actually done in a combination in which you see a lot of compliance manuals have a section on privacy, on cybersecurity. There's usually a reference to Reg S-P and its obligations. But then actually to implement the reg, the policies and procedures need to live in several different areas, like incident response. That's pure cybersecurity. And so you're likely going to have cybersecurity specific procedures in terms of just drafting the notice, getting it out to customers, making sure it's out the door within 30 days.” – Charu

18:09 –  “Some of the information that I think is meant to be safeguarded (so customer information that is covered by S-P) may not necessarily be a required record, you know, book and record under the Advisers Act. And so you're very, you know, you're correct that I think with disposal, you want to have secure methods in place. – Kristen