Welcome back to the Compliance In Context podcast! On today’s show, we will be serving up everything you need to know about Regulation S-P and the upcoming compliance date for many firms—what are the new requirements, what are firms doing to prepare, and best practices on implementation.  To help guide us through the conversation, we are very pleased to welcome in Kristin Snyder and Charu Chandrasekhar from Debevoise Plimpton. In our Headlines section, we review the 2026 Examination Priorities from the SEC Division of Exams, and finally, we close up today with another installment of History Has Your Back, where we examine what an old quote from an NBA superstar can teach us about conducting annual compliance reviews and the compliance profession.

Show

Headlines

Interview with Kristin Snyder and Charu Chandrasekhar

History Has Your Back

Quotes

09:00 – “So the amendments, which went into effect in May of 2024. And then as we've all noted, the compliance dates are coming up for large institutions on December 3rd and then for smaller institutions later in the year into 2026 in June. The amendment is actually required, and have brought to bear, a number of significant changes. At a very high level, they now require under the amended reg SP covered institutions and the covered institutions are defined to include broker-dealers, registered investment companies, registered investment advisors, funding portals, and transfer agents must now adopt a formal incident response program and have written policies and procedures that are reasonably designed to detect and respond to and recover from any unauthorized access to or use of customer information. There's a notification requirement that now exists if sensitive customer information was or was reasonably likely to have been accessed or used with that authorization. And I think that the notification provisions are really what's significant for firms, because that notification has to be made as soon as practicable, but no later than 30 days after the advisor becomes aware of a breach.” – Kristen

15:00 – “We've seen it actually done in a combination in which you see a lot of compliance manuals have a section on privacy, on cybersecurity. There's usually a reference to Reg S-P and its obligations. But then actually to implement the reg, the policies and procedures need to live in several different areas, like incident response. That's pure cybersecurity. And so you're likely going to have cybersecurity specific procedures in terms of just drafting the notice, getting it out to customers, making sure it's out the door within 30 days.” – Charu

18:09 –  “Some of the information that I think is meant to be safeguarded (so customer information that is covered by S-P) may not necessarily be a required record, you know, book and record under the Advisers Act. And so you're very, you know, you're correct that I think with disposal, you want to have secure methods in place. – Kristen