What SEC Reg S-P requires after the 2024 amendments — written incident response, 30-day breach notice, the vendor 72-hour rule, and the data safeguards that satisfy it. Plus how Strac helps you discover, protect, detect, and prove it.
Regulation S-P (often written "Reg S-P") is the Securities and Exchange Commission's privacy and safeguarding rule for the firms it regulates. It implements the Gramm-Leach-Bliley Act (GLBA) for the securities industry and has two long-standing components:
"Customer information" here means nonpublic personal information (NPI): names tied to account numbers, Social Security numbers, balances, transaction history, and anything else a firm collects to provide a financial product or service. If a broker-dealer or adviser holds it, Reg S-P expects it to be protected — and after 2024, expects the firm to prove it.
If you're comparing privacy regimes, Reg S-P sits alongside the same family of obligations Strac already helps customers meet — GDPR, SOC 2, and PCI DSS — with the SEC as the enforcer.
On May 16, 2024, the SEC adopted sweeping amendments to Regulation S-P, the most significant update to the rule since 2000. Where the original rule was largely about privacy notices, the amendments turn Reg S-P into a modern data breach and incident-response regime (Ropes & Gray, FINRA cybersecurity advisory).
The headline change: covered firms must now detect, respond to, and recover from unauthorized access to customer information — and notify the people affected. "We have a policy" is no longer enough; the SEC made clear that reliance on a vendor without oversight does not transfer the obligation.
The SEC set a tiered timeline running from the June 3, 2024 Federal Register publication (Holland & Knight, Proskauer):
Both deadlines have now passed. For most firms the rule is live today, and examiners will expect to see a working incident response program — not a draft. If your program still lives in a Word document, the gap is operational: can you actually detect unauthorized access to customer information and show what was touched? That's where most firms fall short.
The amended rule adds four core obligations on top of the existing privacy and safeguards duties.
The amendments also extend the disposal rule (proper disposal of consumer report information) to more firms, and broaden the definition of the customer information you're on the hook to protect. Two clocks now define an incident: a 72-hour window for vendor notice and a 30-day window for customer notice once you make a determination.
Here's the part the law-firm guides skip: every one of these requirements is, underneath, a data-security problem. You cannot protect, detect, dispose of, or report on customer information you can't see. Strac is built for exactly that — and it spans the full obligation, from finding the data to proving what happened to it.
In other words: Strac Comply runs the program and the evidence binder, while Strac's data security is the technical safeguard the rule is asking for. That bundle — discover, protect, detect, prove — is what turns a Reg S-P policy into something you can actually defend in an SEC exam.
The safeguards rule starts with a question most firms can't answer: where is all our customer NPI? It's in CRMs, shared drives, email inboxes, support tickets, spreadsheets, and increasingly inside AI tools. Strac continuously scans those surfaces and classifies the regulated data — names tied to accounts, SSNs, financial details — so you have a live map of the NPI you're responsible for.
This is the foundation for everything else in Reg S-P: you can't safeguard, monitor, or properly dispose of data you didn't know you had. It's the same data discovery engine Strac customers already use to find and protect sensitive data across 50+ integrations.
The 2024 amendments hinge on a verb most policies can't back up: detect. To notify affected customers within 30 days, you first have to know their information was accessed — and to satisfy an examiner, you have to show it.
Strac writes every access to customer data to an append-only, who-accessed-what audit trail: which user or AI agent, which records, what sensitive data was present, and what action was taken. When something looks wrong, you can scope the incident in minutes instead of reconstructing it after the fact — and the same log is the evidence your Strac Comply incident response program produces for the SEC.
This is exactly the gap firms discover after the deadline: the policy says "detect and notify," but nothing in the stack actually detects. Strac closes it.
A compliant Reg S-P incident response program has to cover four things: detection, response, recovery, and notification (customers within 30 days, vendors held to 72 hours). Most firms have the words; few have the wiring.
Strac gives the program its missing operational half:
Want a head start on the written program? Talk to Strac and we'll walk through a Reg S-P incident response plan template mapped to your stack.
Reg S-P is the SEC's rule requiring broker-dealers, investment advisers, and other covered firms to keep customers' nonpublic personal information private and safeguarded. The 2024 amendments added a written incident response program, customer breach notification, and vendor oversight on top of the original privacy and safeguards rules.
Broker-dealers, SEC-registered investment advisers (RIAs), investment companies, and transfer agents. The 2024 amendments extended several requirements — including the disposal rule — to transfer agents for the first time.
Larger entities (investment advisers with ≥ $1.5B AUM and larger firms) had to comply by December 3, 2025; smaller entities by June 3, 2026. Both deadlines have passed, so the rule is in effect for essentially all covered firms.
It's the service-provider notification requirement: covered firms must contract for their vendors to report a breach of customer information within 72 hours. It pairs with the separate 30-day deadline to notify affected customers once the firm determines unauthorized access occurred.
The disposal rule requires proper disposal of consumer report information so it can't be reconstructed — for example, securely deleting or destroying records you no longer need. The 2024 amendments extended this obligation to more covered firms, including transfer agents.
Reg S-P is how the SEC implements GLBA for the securities industry. GLBA is the underlying federal law; Reg S-P is the SEC's specific rule (with its own 2024 amendments and deadlines) that broker-dealers and advisers are examined against.
No — the rule is technology-neutral. But it requires capabilities most firms don't have out of the box: discovering where customer information lives, detecting unauthorized access, and producing records of it. A data security platform like Strac provides those capabilities directly.
The 2024 Reg S-P amendments quietly turned a privacy-notice rule into a data breach and incident-response mandate — and the deadlines are now behind us. The firms that pass their next SEC exam won't be the ones with the best-worded policy; they'll be the ones who can actually find their customers' information, protect it, detect when it's touched, and prove every step.
That's the whole job, and it's what Strac is built for: data discovery and classification, real-time redaction, a who-accessed-what audit trail, and the evidence your incident response program needs. Book a demo and we'll map Strac to your Reg S-P obligations, line by line.
.avif){kind=icon}
.gif)
.webp)
