A new webinar from the SEC is a warning shot. It is not a courtesy invitation.
On September 25th, the SEC will host a special webinar for large firms focused entirely on Regulation S-P compliance. This is the first in a new series of enforcement-aligned outreach events.
The goal? To walk firms through the newly amended Regulation S-P requirements that were adopted in 2024. While the SEC is framing this as “compliance outreach,” the subtext is clear. The window for ignoring or underestimating these requirements is officially closed.
For RIAs, broker-dealers, and financial firms that handle sensitive customer data—especially those in the mid-size to large category—this is not optional education. It is a final boarding call before the examiners arrive.
Let’s break down what this means, what’s really going on behind the SEC’s outreach language, and what your firm needs to be doing now to prepare.
What Is Regulation S-P?
Regulation S-P is not new. It is the SEC’s rule for protecting customer data, governing everything from privacy notices to data breach responses and information safeguard protocols. In 2024, the rule was significantly amended to account for:
- The explosion of digital communication and third-party tools
- Growing cyberattack frequency across the financial services sector
- Ongoing gaps in how firms monitor and protect investor data
These updates are not just clarifications. They are substantive, enforceable requirements that affect how your firm must detect, document, report, and remediate data exposure incidents.
Why the Webinar Is a Signal, Not Just a Session
The SEC says the webinars are tailored to different registrant types. Large firms go first. Transfer agents and smaller firms will follow.
This structure mirrors the compliance deadlines built into the amended rules. Large firms are on the hook first, which is why the September 25th session is only the beginning.
What should this tell you?
- The SEC is signaling that active enforcement begins soon
- If your firm qualifies as “large” and hasn’t acted yet, you are already behind
- If you’re a growing RIA, you may be treated like a large firm sooner than you expect
Keith Cassidy, Acting Director of the Division of Examinations, put it plainly:
“We want to help firms clearly understand the requirements… so we can reach the mutually beneficial goal of improving safeguards.”
In other words, the expectation is clear. Compliance is not optional.
What Will Be Covered and Why It Matters
Here’s what the SEC says they will address in the webinar:
- New Regulation S-P compliance obligations
- What to expect during an SEC examination
- Guidance from the Divisions of Examinations, Investment Management, and Trading & Markets
- Live Q&A for compliance concerns
For RIAs, the most important elements are the exam readiness guidance and the emphasis on incident response. The updated rule requires firms to:
- Detect and respond to data breaches quickly
- Notify impacted clients in a timely and transparent manner
- Maintain documented controls to prevent unauthorized access to client information
If you cannot currently answer the following questions with confidence, this webinar is not just helpful—it is critical:
- Do we have an up-to-date incident response plan?
- How quickly can we identify and disclose a breach?
- Are our vendors aligned with our safeguard policies?
- Do our staff understand their obligations under the new rule?
What Most RIAs Get Wrong About Regulation S-P
The biggest mistake? Treating Regulation S-P like a checkbox.
Many firms issue templated privacy notices, assume the IT vendor has it covered, and move on.
That will not hold up under the 2025 exam protocols.
The updated rule requires real controls, real documentation, and real accountability. The SEC knows exactly what red flags to look for:
- Spreadsheets of client data in unprotected shared drives
- Unmonitored communication on personal devices
- Vague language in written policies
- No simulation or tabletop testing
- Inconsistent vendor oversight
The difference between a firm that survives a data incident and one that becomes a cautionary tale?
Preparedness and proof.
The Audit Mindset Shift: From Reactive to Preemptive
This is no longer about checking boxes. It is about building a system that can withstand scrutiny.
Firms must now adopt an audit-first mindset. That means:
- Clear ownership of compliance tasks
- Real-time monitoring
- Scalable workflows
- Documented action trails
The firms that can demonstrate control will not only pass exams. They will protect client trust and operational integrity in the process.
This Is About Trust, Not Just Rules
Regulation S-P is a technical rule. But the underlying issue is trust.
Can your firm demonstrate that it is capable of protecting sensitive client data—before, during, and after an incident?
If the answer is anything less than a confident “yes,” you have work to do.
What You Should Do Next
✅ Step 1: Register for the SEC Webinar
Even if you’re not technically a large firm, attending will offer critical insight into the exam mindset.
Register here
✅ Step 2: Run a Regulation S-P Readiness Check
Ask your team:
- Who owns the incident response plan?
- When was it last tested?
- How do we verify vendor compliance?
- Would we pass an exam next month?
✅ Step 3: Operationalize Your Controls
A written policy is not enough. You need systematized workflows, centralized oversight, and the ability to demonstrate control on demand.
That’s where solutions like Smartria come in.
Final Word: Enforcement Is Coming
The Regulation S-P webinar is not a gesture. It is a signal.
The time to prepare is now. Firms that act will be protected. Firms that wait will be exposed.
📣 Want to simplify your compliance operations?
Smartria helps RIAs operationalize and automate critical compliance controls, including Regulation S-P readiness.
