CONTACT US FOR A FREE CONSULTATION
SEC Expands Regulation S-P: What Broker-Dealers and Financial Advisors Need to Know
By Jonathan Hall, Esq.
Cybersecurity incidents can expose broker-dealers and their registered representatives to far more than IT annoyances. A serious breach can lead to loss of customer information, financial harm, business disruption, and long-lasting reputational damage. It can also draw regulatory scrutiny, especially where a firm’s written cybersecurity program is incomplete, outdated, or not aligned with how the firm operates.
Several SEC and FINRA rules are implicated when a firm experiences a cybersecurity incident, including SEC Regulation S-P and Regulation S-ID, as well as FINRA Rules 3110 and 4370 and Securities Exchange Act Rules 17a-3 and 17a-4.
Regulation S-ID and Identity Theft Programs
Regulatory S-ID requires firms to develop and implement a written program designed to detect, prevent, and mitigate identity theft targeting their customers.
This requirement is particularly relevant as regulators continue to focus on account takeovers, new account fraud, and customer-impersonation schemes.
The SEC’s 2024 Amendments to Regulation S-P
In May 2024, the SEC adopted amendments to Regulation S-P that expand firm obligations around cybersecurity and incident response. Under the amendments, firms must maintain a program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
The amendments also require procedures to notify affected individuals whose sensitive customer information was, or is likely to have been, accessed or used without authorization.
Larger entities were required to comply with the amendments by December 3, 2025. Smaller entities must comply by June 3, 2026.
FINRA’s Cybersecurity Threat Warnings
FINRA has observed a wide range of sophisticated cybersecurity threats targeting member firms and their customers, including ransomware and extortion events, data breaches, phishing and social engineering attacks, account takeovers, imposter websites, relationship investment scams, and insider threats.
FINRA has also highlighted emerging risks such as AI-enabled fraud and cybercrime-as-a-service, both of which lower the barrier to entry for threat actors and increase the likelihood of sophisticated attacks.
Effective Practices Firms Should Consider
Regulators have increasingly emphasized practical cybersecurity controls, including multi-factor authentication, monitoring for suspicious account activity, training and security aware programs, tabletop exercises, third-party-vendor risk monitoring, and written procedures for responding to imposter domains and social medial impersonation.
Conclusion
Cybersecurity compliance is now firmly within the SEC and FINRA’s regulatory domain. With the amended Regulation S-P deadlines approaching, firms must evaluate whether their written policies, procedures, and incident response plans meet current expectations. Failing to do so may subject firms and their financial advisors to enforcement risk, which comes with a high cost both to the firms’ bottom line and to the hard-earned trust of their customers.
If you have questions or concerns about this regulatory framework, have experienced a breach of this kind, or want to discuss how best to protect your customers’ sensitive financial information, please contact a securities attorney at inquiry@galbraithlawfirm.com or 212.203.1249.