Last month, the U.S. Securities and Exchange Commission (SEC) Division of Examinations released its Fiscal Year 2026 “Examination Priorities.” In this year’s release, the SEC announced that it will begin examining covered investment advisers, investment companies, and broker-dealers for compliance with amendments to Regulation S-P that, among other things, requires them to report data breaches involving customer information within 30 days.
These amendments, adopted on May 16, 2024[1], and commonly known as “Amended Reg S-P,” survived the June 2025 revocation of fourteen rules adopted by the prior SEC Chair Gary Gensler. Amended Reg S-P appears to not only have survived this rule revocation onslaught but now may thrive in the upcoming year and beyond under the Division of Examinations. Specifically, in the Examination Priorities, the SEC advises:
In preparation for the compliance dates for the Commission’s amendments to Regulation S-P, the Division will engage firms during examinations about their progress in preparing incident response programs reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. After the applicable compliance dates, the Division will examine whether firms have developed, implemented, and maintained policies and procedures in accordance with the rule’s new provisions that address administrative, technical, and physical safeguards for the protection of customer information.[2]
While there have been swift and significant revisions to many SEC priorities in 2025, cybersecurity remains a focus. This should not be a surprise, as one would hope that cyber-risk management endures as a SEC priority, regardless of who is sitting in the “Chair.”
The compliance date for Amended Reg S-P for larger reporting firms was December 3, 2025, and for smaller reporting firms it is June 3, 2026. The key changes required by this rule are:
Developing and implementing written policies and procedures for an incident response plan;
Developing and implementing written policies and procedures providing for service provider oversight, including procedures reasonably designed to ensure service providers notify covered firms within 72 hours of security incidents involving “customer information systems”;
Notifying customers (including customers of certain other financial institutions) within 30 days in the event their “sensitive customer information” has been compromised; and
Broadening the scope of information covered by the original “Reg S-P”, implementing additional recordkeeping obligations for covered institutions, and providing an exception to the annual privacy notice delivery requirement.
Thus, firms need to be prepared for the Division of Examinations Staff to examine them for readiness for Amended Reg S-P. Further, earlier this year, in announcing the priorities for the SEC’s Cyber and Emerging Technologies Unit, the SEC included the following: “Regulated entities’ compliance with cybersecurity rules and regulations.” This priority, coupled with the Examination Priorities described in this article, show that, even if SEC Chair Paul Atkins has retired “regulation by enforcement” more generally, cybersecurity remains an area of focus for the Commission.
Foley’s Securities Enforcement & Litigation Practice Group offers deep experience in guiding clients through the types of matters discussed herein, with more than 50 attorneys — including former SEC, PCAOB, CFTC, and FINRA officials — who have advised public companies, audit committees, broker dealers, underwriters, investment firms, and global market participants. Drawing on decades of regulatory and litigation experience, our team regularly assists clients in responding to examinations and enforcement actions, conducting internal investigations, and advising on supervisory, compliance, and risk management frameworks.
