Preparing for Regulation S-P and takeaways from the SEC’s session at the Incident Response Forum Masterclass 2025


People Capabilities In this section you can find Services Banking and Finance Banking and Finance overview Asset & Lease Finance Capital Markets Corporate Debt Leveraged Finance Project, Energy and Infrastructure Finance Real Estate Finance Restructuring and Insolvency Securitization and Structured Finance Trade and Export Finance Competition, Trade and Foreign Investment Competition, Trade and Foreign Investment overview Antitrust and Competition Investigations Antitrust and Competition Litigation Dawn Raids Foreign Investment and National Security Law International Sanctions and Export Controls International Trade Law Merger Control Procurement and State Aid Construction and Engineering Construction and Engineering overview Construction Disputes Contracts and Procurement EPC Project Advisory Corporate and M&A Corporate and M&A overview Capital Markets Corporate Governance International Corporate Reorganizations Joint Ventures Mergers and Acquisitions Private Equity Venture Capital Corporate Crime Corporate Crime overview Anti-Bribery and Corruption Anti-Money Laundering International Sanctions and Export Controls Regulatory Investigations and Enforcement Data Privacy, Security and Technology Data Privacy, Security and Technology overview Cybersecurity Data Privacy Electronic and Mobile Commerce Information Law Technology Transactions and Sourcing Telecom Services Employment, Labor and Pensions Employment, Labor and Pensions overview Corporate Transactions Cross-Border Employment and Pensions Diversity, Pay and Discrimination Employee Benefits and Executive Compensation Employment Employment Litigation Global Mobility and Immigration Labor and Industrial Relations Financial Services Regulation Financial Services Regulation overview Asset Management Crypto Assets Derivatives Financial Services Disputes and Investigations Funds Insurance Insurance overview Insurance and Reinsurance Disputes Insurance and Retirement Products, Insurance Distribution Insurance Financing and Capital Markets Insurance M&A, Reinsurance and Restructuring Insurance Regulation and Compliance Insurance Regulatory Investigations and Enforcement Insurance Taxation Insurtech Intellectual Property Intellectual Property overview IP Audits and Assessments IP Litigation IP Transactional Patents Trademarks, Trade Dress and Copyrights Trade Secrets Litigation and Dispute Resolution Litigation and Dispute Resolution overview Class Actions Commercial Litigation Antitrust and Competition Litigation Construction Disputes Energy Disputes Environmental, Health and Safety Financial Services Disputes and Investigations Fraud Insurance and Reinsurance Disputes International Arbitration Procurement Disputes Real Estate Disputes Regulatory Investigations and Enforcement Tax Controversy and Litigation Public and Administrative Law Public and Administrative Law overview Public Procurement and PPP Real Estate and Planning Real Estate and Planning overview Commercial Development and Leasing Corporate Real Estate Planning and Environmental Real Estate Disputes Real Estate Finance Living Strategic Contracts Strategic Contracts overview Contract Modernization Outsourcing Strategic Partnerships Tax Tax overview Acquisitions and Restructuring Business Taxation Employee Benefits and Executive Compensation Real Estate Tax Taxation of Financial Transactions and Institutions Tax Controversy and Litigation VAT/Indirect Taxes Industries Consumer Consumer overview Food and Beverage Luxury Retail and Wholesale Energy Energy overview Clean Energy Energy Regulatory Hydrogen Oil and Gas Power Financial Services Financial Services overview Corporate and Investment Banking Private Capital Retail Banking and Consumer Finance Governments and Infrastructure Governments and Infrastructure overview Governments and Strategic Projects Infrastructure Transportation Industrials Industrials overview Automotive Chemicals Manufacturing and Industrial Engineering Life Sciences and Healthcare Life Sciences and Healthcare overview Agriculture and Medicinal Cannabis and CBD Healthcare Industrial Biotechnology Medical Devices Pharmaceuticals and Biotechnology Research and Development Real Estate Real Estate overview Alternative Assets Multi and Single Family Residential Office and Industrial Real Estate Investment Retail and Mixed Use Transport Related Real Estate Technology & Digital Technology & Digital overview Digital Content Digital Infrastructure Technology Resources Insights Client tools Events and training Business topics About About us Firm leadership Purpose and values Responsible business Community Diversity and inclusion Environmental sustainability Pro bono Reports Alumni News Careers Global careers Applications Why us? Lawyers and partners Business professionals Students and recent graduates Offices Latvia Visit global site Select a local version of the site Angola Asia Austria Belgium Bulgaria Czech Republic Estonia Finland France Germany Hungary Iraq Ireland Italy Jordan Latvia Lithuania Luxembourg Mauritius Mozambique Netherlands Poland Portugal Qatar Romania Saudi Arabia Slovakia South Africa Spain Sweden Switzerland Tunisia United Arab Emirates United Kingdom United States Rest of the world en Select language English Preparing for Regulation S-P and takeaways from the SEC’s session at the Incident Response Forum Masterclass 2025 Home Resources Insights Home Resources Insights Preparing for Regulation S-P and takeaways from the SEC’s session at the Incident Response Forum Masterclass 2025 Preparing for Regulation S-P and takeaways from the SEC’s session at the Incident Response Forum Masterclass 2025 May 12, 2025 United States United States United States On April 22, 2025, Laura D’Allaird, Chief of the SEC’s Cyber and Emerging Technologies Unit (CETU), participated in the Incident Response Forum Masterclass 2025 (Incident Response Masterclass). In the session, titled “SEC Spotlight: Cyber Regulation and Enforcement,” D’Allaird outlined the SEC’s key areas of focus in the evolving landscape of cyber regulation, including the following priorities: (1) fraud across the emerging technology space; (2) cybersecurity compliance with existing regulations; and (3) other cyber-related misconduct. The Incident Response Forum Masterclass provided timely information as firms consider how to allocate resources in light of the new administration. Eversheds Sutherland Impressions. 1. Fraud Across the Emerging Technology Space Firms that utilize or provide emerging technology should implement controls to ensure investor protection. The SEC will likely apply enhanced scrutiny to firms that use Artificial Intelligence (AI) or emerging technology in a manner that harms investors or diminishes investor confidence. D’Allaird highlighted the SEC’s heightened scrutiny of claims made by firms using AI. Firms should exercise caution when discussing AI and avoid overstating their usage or the features of any AI products offered to clients, as this can lead to "AI washing." Recently, the SEC charged the founder of a privately held technology startup with fraudulently soliciting investments and raising over $42 million through the sale of stock by making false and misleading statements about the company’s AI capabilities. Firms leveraging AI should also be mindful of legal obligations required to use the product. For instance, firms that use AI to process research should establish protocols to ensure compliance with any nondisclosure obligations required to access the AI tool. 2. Cybersecurity Compliance with Existing Regulations Firms subject to cybersecurity regulations, such as Regulation S-P and Regulation Systems Compliance and Integrity (Regulation SCI), should be prepared to demonstrate full compliance during SEC examinations. The SEC adopted amendments to Regulation S-P (Amendments) on May 16, 2024, aiming to modernize and enhance the protection of customer information held by financial institutions. The Amendments address the evolving technological landscape and risks that have emerged since the rule’s original adoption in 2000. Overview of the Amendments Incident Response Program: The Amendments require broker-dealers, investment advisers, investment companies, funding portals, and transfer agents (Covered Institutions) to develop, implement, and maintain comprehensive written policies and procedures for incident response programs. These programs must be designed to detect, respond to, and recover from unauthorized access to customer information. Service Provider Oversight: Covered Institutions must also adopt policies and procedures reasonably designed to oversee and monitor third-party service providers. This includes ensuring that service providers (1) are capable of protecting customer information from unauthorized access, and (2) notify Covered Institutions no later than 72 hours after becoming aware of unauthorized access to customer information. Customer Notification Requirement: In the event of unauthorized access to customer information, the Amendments require the Covered Institutions to notify the affected customers whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, as soon as practicable, but no later than 30 days after becoming aware of the incident. The notice to affected customers must include details about the incident, the nature of the data that was accessed, and guidance on how the affected customers can respond to protect themselves. The Amendments permit a delay if certain requirements are met where the notice poses a substantial risk to national security or public safety. Expanded Scope of the Rules: The Amendments also broadened the scope of information covered by Regulation S-P to include any nonpublic personal information collected from customers or received from other financial institutions. As a result, the amendments expand the group of customers protected by the disposal rule and safeguards rule. Additionally, the Amendments expand the safeguards rule to apply to transfer agents. Recordkeeping and Annual Notice Amendments: Covered institutions, other than funding portals, are required under the Amendments to make and maintain written records documenting compliance with the safeguards rule and the disposal rule. The Amendments also conform Regulation S-P annual privacy notice delivery provisions to codify a statutory exception. Compliance Date: Covered Institutions that are “larger entities” are required to comply with these amendments by December 3, 2025, and Covered Institutions that are not larger entities must comply by June 3, 2026. Notably, industry trade groups¹ recently submitted a request to Chairman Atkins for an extension of compliance dates and asked the Chairman to consider further amendments to Reg S-P to better align with existing federal and state requirements. Nevertheless, firms should continue to prepare to meet the compliance date. 3. Other Cyber-Related Misconduct Firms should continue to prioritize cyber and data security practices to safeguard sensitive customer and investor information and guard against cyber-related misconduct. The SEC will likely be focused on cyber events that threaten market integrity and investor protection. During the Incident Response Masterclass, D’Allaird emphasized various tactics bad actors may use to target firms and customers, including using social media or fake websites to perpetrate fraud, hacking into material nonpublic information (MNPI), and account takeover schemes. D’Allaird’s remarks underscore that cybersecurity is a critical regulatory priority for the SEC, and firms must continue to evolve their defenses to meet emerging threats. Firms that do not implement sufficient measures to protect against these threats may also face regulatory penalties. __________ If you have any questions about this Legal Briefing, please feel free to contact any of the attorneys listed or the Eversheds Sutherland attorney with whom you regularly work. ₁_{The request was submitted jointly by the Securities Industry and Financial Markets Association (SIFMA), SIFMA Asset Management Group (SIFMA AMG), American Bankers Association (ABA), Bank Policy Institute (BPI), Institute of International Bankers (IIB), Investment Adviser Association (IAA), Investment Company Institute (ICI), Insured Retirement Institute (IRI), and the Committee of Annuity Insurers (CAI).} The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer. Services Financial Services Regulation Industries Financial Services Business Topics Artificial Intelligence Key contacts Amber M. Allen Counsel United States Jose L. Gerez Associate New York, United States Latest Insights legal updates Commercially Connected shorts - 3 June 2026 legal updates Global Life Sciences & Healthcare Bulletin legal updates Consumer Lens - Session 1 \| The Rise of European Class Actions podcasts and webcasts Tax NOLs in Cross-Border Structures Webinar Latest News client news A blueprint for growth: Eversheds Sutherland supports Leonard Design Group restructuring and MBO client news Next stop, public ownership: Eversheds Sutherland advises DfT on GTR transition firm news Eversheds Sutherland strengthens restructuring offering with senior partner appointment firm news Eversheds Sutherland strengthens Commercial Advisory practice with technology partner hire Latest Events virtual \| June 09, 2026 UK employment law training virtual \| June 16, 2026 Nordic (Denmark, Finland, Norway and Sweden) employment law training virtual \| June 23, 2026 virtual \| September 10, 2026 Tabs Label legal updates June 03, 2026 Commercially Connected shorts - 3 June 2026 legal updates June 03, 2026 Global Life Sciences & Healthcare Bulletin legal updates May 29, 2026 Consumer Lens - Session 1 \| The Rise of European Class Actions podcasts and webcasts May 29, 2026 Tax NOLs in Cross-Border Structures Webinar Legal notices Terms & conditions Privacy notice Cookies LinkedIn Connect Contact us Client login Staff login Subscribe About us About Eversheds Sutherland Purpose and values Responsible business Alumni Insights Client tools Events and training Business topics Careers Offices © Eversheds Sutherland 2026. All rights reserved. Eversheds Sutherland is a provider of legal and other services operating through various separate and distinct legal entities. For further information about these entities and Eversheds Sutherlands' structure please see the Legal Notice page of this website. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client. For further information about these Eversheds Sutherland Entities and Eversheds Sutherlands’ structure please see the Legal Notices page of this website.

On April 22, 2025, Laura D’Allaird, Chief of the SEC’s Cyber and Emerging Technologies Unit (CETU), participated in the Incident Response Forum Masterclass 2025 (Incident Response Masterclass). In the session, titled “SEC Spotlight: Cyber Regulation and Enforcement,” D’Allaird outlined the SEC’s key areas of focus in the evolving landscape of cyber regulation, including the following priorities: (1) fraud across the emerging technology space; (2) cybersecurity compliance with existing regulations; and (3) other cyber-related misconduct. The Incident Response Forum Masterclass provided timely information as firms consider how to allocate resources in light of the new administration.
Eversheds Sutherland Impressions.

1. Fraud Across the Emerging Technology Space

Firms that utilize or provide emerging technology should implement controls to ensure investor protection. The SEC will likely apply enhanced scrutiny to firms that use Artificial Intelligence (AI) or emerging technology in a manner that harms investors or diminishes investor confidence. D’Allaird highlighted the SEC’s heightened scrutiny of claims made by firms using AI. Firms should exercise caution when discussing AI and avoid overstating their usage or the features of any AI products offered to clients, as this can lead to "AI washing." Recently, the SEC charged the founder of a privately held technology startup with fraudulently soliciting investments and raising over $42 million through the sale of stock by making false and misleading statements about the company’s AI capabilities.

Firms leveraging AI should also be mindful of legal obligations required to use the product. For instance, firms that use AI to process research should establish protocols to ensure compliance with any nondisclosure obligations required to access the AI tool.

2. Cybersecurity Compliance with Existing Regulations

Firms subject to cybersecurity regulations, such as Regulation S-P and Regulation Systems Compliance and Integrity (Regulation SCI), should be prepared to demonstrate full compliance during SEC examinations.

The SEC adopted amendments to Regulation S-P (Amendments) on May 16, 2024, aiming to modernize and enhance the protection of customer information held by financial institutions. The Amendments address the evolving technological landscape and risks that have emerged since the rule’s original adoption in 2000.

Overview of the Amendments

Incident Response Program: The Amendments require broker-dealers, investment advisers, investment companies, funding portals, and transfer agents (Covered Institutions) to develop, implement, and maintain comprehensive written policies and procedures for incident response programs. These programs must be designed to detect, respond to, and recover from unauthorized access to customer information.

Service Provider Oversight: Covered Institutions must also adopt policies and procedures reasonably designed to oversee and monitor third-party service providers. This includes ensuring that service providers (1) are capable of protecting customer information from unauthorized access, and (2) notify Covered Institutions no later than 72 hours after becoming aware of unauthorized access to customer information.

Customer Notification Requirement: In the event of unauthorized access to customer information, the Amendments require the Covered Institutions to notify the affected customers whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, as soon as practicable, but no later than 30 days after becoming aware of the incident. The notice to affected customers must include details about the incident, the nature of the data that was accessed, and guidance on how the affected customers can respond to protect themselves. The Amendments permit a delay if certain requirements are met where the notice poses a substantial risk to national security or public safety.

Expanded Scope of the Rules: The Amendments also broadened the scope of information covered by Regulation S-P to include any nonpublic personal information collected from customers or received from other financial institutions. As a result, the amendments expand the group of customers protected by the disposal rule and safeguards rule. Additionally, the Amendments expand the safeguards rule to apply to transfer agents.

Recordkeeping and Annual Notice Amendments: Covered institutions, other than funding portals, are required under the Amendments to make and maintain written records documenting compliance with the safeguards rule and the disposal rule. The Amendments also conform Regulation S-P annual privacy notice delivery provisions to codify a statutory exception.

Compliance Date: Covered Institutions that are “larger entities” are required to comply with these amendments by December 3, 2025, and Covered Institutions that are not larger entities must comply by June 3, 2026. Notably, industry trade groups¹ recently submitted a request to Chairman Atkins for an extension of compliance dates and asked the Chairman to consider further amendments to Reg S-P to better align with existing federal and state requirements. Nevertheless, firms should continue to prepare to meet the compliance date.

3. Other Cyber-Related Misconduct

Firms should continue to prioritize cyber and data security practices to safeguard sensitive customer and investor information and guard against cyber-related misconduct. The SEC will likely be focused on cyber events that threaten market integrity and investor protection. During the Incident Response Masterclass, D’Allaird emphasized various tactics bad actors may use to target firms and customers, including using social media or fake websites to perpetrate fraud, hacking into material nonpublic information (MNPI), and account takeover schemes.

D’Allaird’s remarks underscore that cybersecurity is a critical regulatory priority for the SEC, and firms must continue to evolve their defenses to meet emerging threats. Firms that do not implement sufficient measures to protect against these threats may also face regulatory penalties.

__________

If you have any questions about this Legal Briefing, please feel free to contact any of the attorneys listed or the Eversheds Sutherland attorney with whom you regularly work.

₁_{The request was submitted jointly by the Securities Industry and Financial Markets Association (SIFMA), SIFMA Asset Management Group (SIFMA AMG), American Bankers Association (ABA), Bank Policy Institute (BPI), Institute of International Bankers (IIB), Investment Adviser Association (IAA), Investment Company Institute (ICI), Insured Retirement Institute (IRI), and the Committee of Annuity Insurers (CAI).}

The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer.