In 2021, SEC enforcement actions sent a clear message to financial firms: weak cybersecurity controls lead to both technology failures and compliance failures. That message has only grown louder since then.
The SEC’s 2026 exam priorities make clear that examinations will assess compliance with Regulation S-P, including policies and procedures, internal controls, incident response programs, and third-party oversight.
The lingering mistake many firms still make is treating security compliance as a matter of tools, templates, and policy statements. Reg S-P readiness is more demanding than that. It tests whether leadership can show how customer information is safeguarded, how incidents are escalated, how vendors are governed, and how evidence is maintained under scrutiny or attack.
The 2021 Sanctions That Sounded the Alarm
In late August 2021, the SEC sanctioned eight financial services firms across three separate enforcement actions for cybersecurity compliance failures. The Commission said the firms failed to establish and implement adequate cybersecurity policies and procedures.
In those actions, Cetera entities, Cambridge, and KMS were charged with violating the Safeguards Rule under Regulation S-P after failures that resulted in email account takeovers exposing the personal information of thousands of customers and clients. The firms settled for a combined $750,000 in penalties.
With those actions, the SEC made an important point: when safeguards don’t hold up, compliance failures are part of the problem, too.
Why the Stakes Are Higher Now
Compliance failures call into question whether firms can assess, escalate, explain, and defend their response when customer information may be at risk.
Under the 2024 amendments to Regulation S-P, covered institutions must adopt written incident response programs reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. In certain cases, firms must notify affected individuals within 30 days after becoming aware that sensitive customer information has been accessed or used without authorization. The amendments also expand safeguarding expectations, service-provider oversight, disposal requirements, and recordkeeping obligations tied to compliance.
Today, the stakes of noncompliance include:
- Exposure of sensitive customer information.
- Pressure on leadership during incident response.
- Breakdowns in service-provider coordination.
- Inability to produce timely, defensible evidence.
- Exam scrutiny around how safeguards are governed.
This is why a firm can have reasonable security tools and still fail the readiness test. Reg S-P raises questions about whether firms can operate clearly and consistently during an incident.
Practical Implications for Firms
Written safeguards mean very little if they don’t hold up in practice. Firms have less room than ever to rely on assumptions.
1. Written safeguards aren’t enough
A firm can have policies on paper and still be exposed if those policies aren’t clearly implemented, reviewed, and supported by operating discipline. That was the signal in the 2021 SEC actions, and it’s even more relevant now that Reg S-P places greater weight on incident response, service-provider oversight, and records documenting compliance.
Documented intent is not the same as real readiness.
2. Ownership can’t be informal
Readiness collapses when firms treat governance, technology, and execution as separate workstreams. Trouble becomes inevitable when no one knows who owns the next decision or the next evidence request.
Firms need to be explicit about ownership of:
- Who decides
- Who escalates
- Who gathers evidence
- Who communicates next
Ambiguity in any of those areas can derail an incident response plan.
3. Service-provider issues become your problem fast
Firms often underestimate how quickly a vendor issue can become their own governance problem. Under Reg S-P, oversight of service providers matters because it shapes how quickly leadership can understand exposure and decide what happens next.
That means firms should pay attention to due diligence, monitoring, contractual protections, and escalation paths. The SEC’s exam priorities also reinforce that service-provider oversight remains a cross-cutting focus in cybersecurity and customer-information protection.
4. Evidence matters in real conditions
Safeguards aren’t enough if the firm cannot clearly explain how they’re governed, reviewed, and maintained when scrutiny increases.
That’s exactly how a security issue turns into a documentation and defensibility problem. Examiners will want to see not just what the firm says it does, but what it can prove it did.
How This Maps to Reg S-P
Many security compliance failures today reflect gaps in Reg S-P readiness: weak service-provider oversight, unclear notification processes, and evidence that’s fragmented, stale, or hard to assemble quickly.
That’s why the amended rule matters so much. Firms care about security, but they still need readiness models that hold together when things go wrong. Reg S-P is a test of whether policies, procedures, and controls actually work when things go wrong.
What Firms Should Review Now
To avoid repeating old mistakes in a more demanding Reg S-P environment, firms should review a few things directly.
Start by asking:
- Are ownership and decision rights explicit, or still assumed?
- Do service provider contracts, inventories, and escalation paths support fast incident assessment?
- Can leadership determine quickly whether customer information may be affected?
- Can the firm produce current, defensible evidence without scrambling?
- Do written policies match how the program operates today?
- Have tabletop exercises tested the seams between compliance, operations, and technology?
Answers to these questions can help reveal the current manageability of a potential security event and identify shortfalls that need immediate attention.
Course-correcting for Reg S-P
The SEC’s enforcement signal is clear, and its expectations are already in play.
For financial firms, the next step is tightening how cybersecurity programs operate day to day. That means making sure ownership is explicit, vendor relationships are actively governed, and incident response plans reflect how decisions actually get made. It also means confirming that documentation keeps pace with the program itself so that when questions arise, the answers are already there.
Reg S-P raises the standard for how firms manage risks they already know. Firms that align their policies, processes, and documentation now will be better positioned to handle incidents and examinations ahead.