Cybersecurity Advisory – Reminder: SEC Regulation S-P Compliance Date Approaching for Some Member Firms

Impact: All FINRA Member Firms

This Cybersecurity Advisory reminds member firms of the upcoming compliance dates for the SEC’s amendments to Regulation S-P, and announces an upcoming FINRA webinar to assist member firms with their preparation for complying with these amendments. As discussed below, the compliance date for some member firms is Dec. 3, 2025.

Background

The SEC’s Regulation S-P governs the treatment of non-public personal information about consumers by certain financial institutions. On May 16, 2024, the SEC announced the adoption of amendments to Regulation S-P, designed to modernize and enhance the protections the rule provides. The amendments, among other things, will require “covered institutions” (brokers and dealers, funding portals, investment companies, registered investment advisers registered with the SEC, and transfer agents registered with the SEC or another appropriate regulatory agency) to: (1) develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information; and (2) notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. FINRA published a June 6, 2024, Cybersecurity Advisory with additional details.

FINRA recommends that all member firms review the amendments and update their cybersecurity programs, as needed, to meet the applicable compliance date.

Compliance Dates

The compliance date for “larger” entities is Dec. 3, 2025, and June 3, 2026, for “smaller” entities. Member firms should give careful consideration to which category they fall into for purposes of determining their applicable compliance date. Member firms may wish to refer to the SEC’s final rule release, which includes a chart that may help with such determination (“Table 3: Designation of Larger Entities”). Note that the definitions of “larger” and “smaller” entities do not correspond with FINRA’s definitions of large and small firms, characterized by the number of registered representatives at the firm.

November 19 FINRA Webinar on SEC’s Regulation S-P Amendments

To assist member firms with preparation for complying with these amendments, FINRA is hosting a webinar at 1 p.m. ET on Nov. 19, 2025, to provide an overview of the amendments and the compliance dates. Visit FINRA’s website to register.

Additional Information

The SEC published a fact sheet as well as a Small Entity Compliance Guide to help covered institutions understand and comply with the amendments. In addition, the SEC’s Acting Director of the Division of Examinations Keith Cassidy shared his perspectives on the importance of Regulation S-P in protecting customer information during a Cybersecurity: Trends and Building Strong Programs session at the 2025 FINRA Annual Conference, a recording of which is available to FINRA member firms and CRCP graduates.

General guidance for member firms on cybersecurity issues can be found in the Cybersecurity and Cyber-Enabled Fraud, Third-Party Risk Landscape and Technology Management sections of the 2025 FINRA Annual Regulatory Oversight Report. Comprehensive member firm guidance and resources can be found on FINRA’s Cybersecurity Key Topics Page.

Note: This Advisory does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Advisory in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.