U.S. SEC Regulation S-P: Compliance Deadline Approaching for Smaller Entities
The U.S. Securities and Exchange Commission has issued amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, which became effective on August 2, 2024 (the Final Amendments). For smaller entities, including registered investment advisers with less than $1.5 billion in assets under management, as well as certain broker-dealers and other SEC-regulated entities, the compliance deadline is June 3, 2026. The compliance deadline for larger entities was December 3, 2025. For a full list of entities required to comply, please see June 4, 2024 Sidley Update.
UK Operational Incident and Third-Party Reporting Rules: What Firms Should Do Now
The Financial Conduct Authority (FCA) has published Policy Statement PS26/2 together with final guidance in FG26/3 and FG26/4. The Prudential Regulation Authority (PRA) has also published PS7/26 alongside Supervisory Statement SS1/26 and an update to SS2/21. PS26/2 and PS7/26 introduce a new UK framework for reporting serious operational incidents and material third-party arrangements. The framework was developed by the FCA, PRA, and the Bank of England and is intended to give the regulators better visibility of operational disruption and third-party dependencies and to support a more data-driven supervisory approach.
Chambers 2026 Global Practice Guide for Cybersecurity
The Chambers Global Practice Guide for Cybersecurity 2026 has been published. The guide provides the latest legal information on cybersecurity law and regulation, including in relation to critical infrastructure, financial sector operation resilience, cyber-resilience, and ICT certification. The guide also covers the intersection of cybersecurity with data protection law, developments in AI and healthcare regulation.
Regulatory Update: National Association of Insurance Commissioners Spring 2026 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Spring 2026 National Meeting (Spring Meeting) March 22–25, 2026. This blog post summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include progress on addressing regulatory concerns related to indexed annuity illustrations, establishment of a new working group on market conduct modernization, exposure of a risk-based capital (RBC) adjustment framework for collateral loans, a Securities Valuation Office (SVO) report on resource strain caused by increased Private Letter Rating filings, multiple revisions to statements of statutory accounting principles (including guidance on sale-leasebacks, repurchase agreements and residential mortgage loans held in statutory trusts, and proposed disclosures for funding agreement-backed financing programs), and updates on the pilot phase of the AI Systems Evaluation Tool.
The New Cyber Doctrine of the United States: The Trump Administration Issues Cyber Strategy and Executive Order Targeting Cybercrime
The New Cyber Doctrine of the United States: The Trump Administration Issues Cyber Strategy and Executive Order Targeting Cybercrime
On March 6, 2026, the Trump Administration released President Trump’s Cyber Strategy for America, and an Executive Order targeting cyber-enabled crime, fraud, and predatory schemes. Together these documents do more than merely outline the Administration’s response to cyber threats; they articulate a new cyber doctrine centered on imposing costs on adversaries and mobilizing both government and private-sector capabilities at scale.
Congress Considers Right to Repair Bill for Vehicle Owners
Last week, the House Energy and Commerce Committee voted to send the Right to Equitable and Professional Auto Industry Repair (REPAIR) Act to the full U.S. House of Representatives for consideration. This legislation, if enacted, would give car owners access to their vehicle-generated data and repair data and tools from vehicle manufacturers. It would also grant owners certain rights over the use of that data, including the right to delete it, and would prevent recipients of vehicle-generated data from selling, transferring, or licensing that data absent certain exceptions. As indicated by its name, the REPAIR Act is reflective of the so-called “right to repair” movement to allow consumers and independent repair shops access to the same data for repair and maintenance that manufacturers make available to themselves or franchised dealers. It also has important implications for data privacy in modern vehicles, which generate increasingly large volumes of information.
Geopolitics and Cybersecurity: Japan and the UK Announce Strategic Cyber Partnership Among Growing Global Focus on Privacy and Cyber Risks Posed by Foreign Actors
On January 31, 2026, the governments of Japan and the United Kingdom announced they were strengthening their cybersecurity collaboration through a bilateral Strategic Cyber Partnership (Partnership).
The 12th Edition of Lexology In-Depth: Privacy, Data Protection and Cybersecurity is now available
The 12th edition of Lexology In-Depth: Privacy, Data Protection and Cybersecurity (formerly The Privacy, Data Protection and Cybersecurity Law Review) provides an incisive global overview of the legal and regulatory regimes governing data privacy and security. With a focus on recent developments, it covers key areas such as data processors’ obligations; data subject rights; data transfers and localisation; best practices for minimising cyber risk; public and private enforcement; and an outlook for future developments. A number of lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the chapters below for a closer look at this developing area of law. (more…)
FINRA Issues 2026 Regulatory Oversight Report
On December 9, 2025, the Financial Industry Regulatory Authority (FINRA) released its 2026 Annual Regulatory Oversight Report (2026 Report). The nearly 90-page report highlights emerging risks — including cybersecurity, data privacy, and generative AI (GenAI) — and offers tools and best practices for member firms. It also reemphasizes the perennial focus areas of Regulation Best Interest (Reg BI) compliance, third-party vendor management, best execution, consolidated audit trail (CAT), and compliance with the financial responsibility rules. Below are key takeaways, followed by a deeper dive into notable areas of focus, for some of the topics most relevant for broker-dealers.
Data Protection in Financial Services Week 2025 – Webinar Recordings Now Live
Data Protection in Financial Services (DPFS) Week 2025 consisted of a series of webinars featuring industry leaders who offered invaluable insights on balancing AI with privacy, cybersecurity, and regulatory challenges within the financial services industry. DPFS Week was relevant to all those in financial services, including those in banking, insurance, fintech, funds, payments, private equity, securities, wealth management, and other sectors.
