With just two months left before the December 3, 2025 compliance deadline, the SEC has made one thing clear: the updated Regulation S-P is moving forward on schedule.
On September 25, the SEC held the first in a three-part series of compliance outreach events focused on helping larger advisers—those with more than $1.5 billion in AUM—prepare for implementation. What began as a privacy rule has now evolved into a comprehensive cybersecurity and incident response requirement.
Advisers hoping for an extension instead received a reminder of what’s expected under the new framework. The revised rule calls for firms to:
- Inventory and map data to understand who has access to sensitive customer information and where it resides
- Strengthen incident response plans to cover detection, recovery, and breach notification within a 30-day timeframe
- Document forensic analyses to justify when incidents are not reportable
- Conduct ongoing vendor oversight, including 72-hour incident reporting requirements
These updates mark a significant shift in how firms are expected to demonstrate readiness. Regulators will expect proof—well-documented processes, not promises.
Salus GRC has prepared a complimentary guide with practical steps to help firms prepare for the new rule: Understanding the Reg. S-P Requirements →
For questions or assistance as your firm approaches the deadline, contact Salus GRC.