Preparing for the SEC’s updated S-P Regulation: Incident Response, Vendor Risk, and Recordkeeping

In May 2024, the SEC published final enhancements to the existing Safeguards and Disposal Rule to protect sensitive customer and investor information.

The updates establish a federal minimum standard for data breach notifications by broadening disclosure and recordkeeping requirements.  

What you need to know – This isn’t a new rule, but an amendment to an existing rule. 

The amendment to the S – P Regulation is separate from the Disclosure Rule for public companies. This is also separate from the SEC Cyber Rule for Advisors.  

However, it does apply to a broad group of financial entities including: 

  • Brokers 
  • Dealers 
  • Investment companies (including firms that are not registered with the SEC) 
  • Registered investment advisers 

Read: Final Rules:  Enhancements to  Regulation S-P 

Read: Disposal of Consumer Report Information 

Why this is important – The amendment has concrete requirements regarding incident response, mitigate vendor risk, and recordkeeping.  

Incident response 

  • Covered entities must disclose a cyber breach to affected individuals as soon as practical, but no later than 30 days; and 
  • Implement and document a robust incident response program that includes customer and investor notification.  

It’s important to note that covered entities are expected to quickly and thoroughly investigate cyber incidents.  If only non-sensitive data is accessed, notification is not required. If the investigation is inconclusive, the firm must still notify its customers and investors.  

Third-party Vendor Risk  

  • Due diligence and continuous monitoring are required of their service providers.  
  • Incident response plans must incorporate procedures for addressing potential third-party data breaches.  
  • Service providers must notify the covered institution within 72 hours of becoming aware of a cyber breach. 


  • Registered Investment Companies and Unregistered Investment Companies must retain a copy of their policies and procedures for six years, with the first two years in an easily accessible place.  
  • Registered Investment Advisers are required to keep records for five years, ensuring the first two years are easily accessible.
  • Broker-Dealers must retain all records for three years. 
  • Transfer Agents are required to keep all records for three years in an easily accessible location.  

The bigger picture – Managers are feeling increasing pressure to meet various compliance regulations. 

The SEC outlined an 18-month compliance period for larger entities and a 24-month period for smaller entities, allowing ample time for institutions to adapt and ensure full compliance. 

Aside from the amendments to the S – P regulation, public financial companies still need to meet separate requirements outlined by the Public Disclosure Rule. Much of the Alternative Investment space is also awaiting the final SEC Cyber Rule for Advisors.  

Read: SEC Cyber Rule for Advisors vs. the Public Disclosure Rule

Recommended next steps – Drawbridge can help keep your cyber program compliant with current regulations and be prepared to meet evolving compliance requirements.  

Drawbridge is the only cybersecurity vendor that offers independent cyber risk assessments that help Managers map their cyber program against SEC requirements. To book a demo, contact a Drawbridge team member today.