Last month, the Securities and Exchange Commission (the SEC or the Commission) unanimously voted to adopt amendments to Regulation S-P (Reg S-P), which is the SEC’s regulation governing the treatment and safeguarding of customers’ nonpublic personal information. The amendments apply to broker-dealers, investment companies, registered investment advisers and transfer agents registered with the SEC or with another appropriate regulatory agency (collectively, covered institutions) and cover three main areas, discussed in more detail below: (1) a new requirement to design an “incident response program” to detect, contain and control unauthorized access to or use of customer information; (2) an expanded scope of information and entities covered by Reg S-P’s safeguarding and disposal requirements; and (3) new recordkeeping requirements for covered institutions. Covered institutions will be subject to the new rules either 18 months after publication in the Federal Register, if the covered institution is a “larger entity,” or 24 months after publication, if the covered institution is a “smaller entity.” The amendments were published in the Federal Register on June 3, 2024.