Oct 292025

U.S. SEC Regulation S-P and Checklist: Compliance Deadline, December 3, 2025, Approaching for Large Entities

Ranah Esmaili and Jonathan M. Wilan
, , ,

On May 16, 2024, the U.S. Securities and Exchange Commission (SEC or Commission) issued amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, which became effective on August 2, 2024 (the Final Amendments). The deadline for larger entities to comply with the Final Amendments is December 3, 2025, and for smaller entities, June 3, 2026.

At a high level, Regulation S-P sets forth requirements around the treatment of nonpublic personal information about consumers. The Final Amendments amend Regulation S-P requirements, generally, as they relate to “customer information” of “covered institutions.” Pursuant to the Final Amendments, “covered institution” generally is defined to include any brokers, dealers, investment companies, registered investment advisers, funding portals, and registered transfer agents as further specified in the regulation. The Final Amendments also address, among other things, the scope of written policies and procedures reasonably designed to safeguard customer information, incident response, notice of incidents involving sensitive customer information, service providers, recordkeeping, information disposal with regard to both customer information and “consumer information” as defined in the regulation, and annual privacy notices. The Final Amendments are complex and mandate a careful review of, and potentially significant updates to, existing policies and procedures for organizations otherwise subject to Regulation S-P.

Below is a high-level outline and checklist to guide you as a “final check” before the compliance deadlines. This document serves merely as a guide and is not meant to be legal advice or a replacement for legal advice. Sidley’s Privacy and Cybersecurity and Securities Enforcement and Regulatory teams can assist you on an expedited basis with any questions you may have related to the Final Amendments, including assisting you with developing a compliance and risk management program or updating components of any existing program, to address the requirements of Regulation S-P and the Final Amendments.

For summary definitions of “covered institution,” “customer information,” “financial institution,” “sensitive customer information,” and “service provider,” please refer to Appendix A to this checklist. A version of the checklist in table format that may be useful to complete while addressing the requirements of Regulation S-P is attached at Appendix B.

Do the Final Amendments to Regulation S-P Apply to Your Organization?

Is your organization a “covered institution” under the Final Amendments to Regulation S-P? Are you a registered investment adviser, broker, dealer, investment company, funding portal, or registered transfer agent?

If you have answered “yes” to these questions, your organization is within scope for the Final Amendments. You should continue through the checklist below.

To view the full checklist click here.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Ranah Esmaili

Washington, D.C.

resmaili@sidley.com

Jonathan M. Wilan

Washington, D.C.

jwilan@sidley.com

You might also like
New York Department of Financial Services (NYDFS) Clarifies Expectations for Third-Party Cybersecurity Risks Under its Cybersecurity Regulation, and Additional Amendments Go into Effect on November 1, 2025

On October 21, 2025, NYDFS, the New York State agency responsible for regulating financial services and products, issued an Industry Letter clarifying how “Covered Entities”[1] should manage cybersecurity risks arising from Third‑Party Service Providers (TPSPs) under the NYDFS Cybersecurity Regulation (23 NYCRR Part 500).

Van Buren in Action: Third Circuit Rejects Application of the Computer Fraud and Abuse Act (CFAA) to Violations of Workplace Policies

On August 26, 2025, the Third Circuit issued an opinion in NRA Group, LLC v. Durenleau, limiting the application of the CFAA in the workplace. In a case of first impression for the Third Circuit, the Court specifically held that employees with legitimate access to company systems did not violate the CFAA by violating their employer’s computer-use policies absent any “evidence of code-based hacking.” Applying the Supreme Court’s Van Buren v. United States “gates-up-or-down” framework, the Third Circuit interpreted “without authorization” and “exceeds authorized access” under the CFAA narrowly – focusing on actual access prohibitions and restrictions. The ruling thus shields workplace computer-use policy violations by current employees, such as password sharing or improper data use, from CFAA liability (both civil and criminal) and steers employers toward other legal remedies.

The Guide to Cyber and Data Privacy Investigations – Fourth Edition

Sidley lawyers David Lashway, John Woods, Jennifer Seale, and Francesca Blythe have authored the chapter “Complying with regulatory requirements and SEC guidance” within The Guide to Cyber and Data Privacy Investigations – Fourth Edition.