Regulation S-P governs privacy and safeguards for customer records and information at covered SEC-regulated entities. It is a privacy and information-safeguards rule, and recent SEC amendments put more emphasis on incident response and notification for unauthorized access to or use of customer information.
Official sources
The SEC's 2024 final rule page describes amendments to Regulation S-P that require covered institutions to adopt written policies and procedures for incident response programs, including procedures to notify affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization.
What Regulation S-P is trying to do
Regulation S-P is about protecting customer information and giving customers required privacy protections. Covered institutions need policies and procedures that safeguard customer records and information. They also need an incident response program that can identify unauthorized access or use, assess impact, and support notification where required.
Service providers matter because customer information is often stored, processed, transmitted, or supported by outside parties. The covered institution needs enough visibility to investigate and respond when a service provider incident affects customer information.
What the rule covers
The relevant operating areas include:
- privacy notices and limits on disclosure of nonpublic personal information;
- safeguards for customer records and information;
- written incident response program;
- assessment of unauthorized access to or use of customer information;
- customer notification where the amended rule requires it;
- service provider coordination and contractual support;
- recordkeeping and evidence for decisions.
What teams need to do
Teams should map customer information to service providers, systems, business owners, contracts, and incident playbooks. A provider record should show whether the provider stores or accesses customer information, what safeguards evidence exists, what incident notice obligations are in the contract, who must escalate an event, and how the institution will get facts quickly enough to assess notification.
The incident workflow is especially important. A covered institution should not be trying to find the right provider contact or contract clause after an event has already happened.
Evidence to maintain
- Privacy and safeguards policies.
- Customer information inventory and provider access mapping.
- Service provider contracts and incident support terms.
- Provider safeguards evidence and monitoring records.
- Incident response program and escalation procedures.
- Incident investigation, unauthorized-access analysis, notification decisions, and remediation.
- Records supporting privacy notices, safeguards, and rule-required response work.
Common gaps
- Customer information providers are tracked by business team but not by incident-response owners.
- Contracts include incident notice language but do not require enough detail for notification
analysis.
- Service provider incidents are handled as security tickets without privacy and Regulation S-P
analysis.
- Provider safeguards are reviewed annually but not after material service or control changes.
- Records do not clearly explain why notification was or was not required.
How Halbarad helps
Halbarad helps covered institutions keep provider, customer information, safeguards, and incident records connected. It gives teams a place to maintain the provider profile before an event and preserve the decision trail during and after an event.
Halbarad can help teams:
- identify providers that store, process, or access customer information;
- collect safeguards evidence and contract support for incident response;
- monitor provider incidents, outages, advisories, status changes, and trust-center updates;
- discover downstream providers and concentration exposure;
- manage incident support evidence, findings, remediation, approvals, and audit trail.
Halbarad helps operationalize Regulation S-P oversight. It does not determine legal notification obligations or replace SEC rule review.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.