In May 2024, the SEC adopted amendments (Amendments) to modernize Regulation S‑P, the agency’s framework for protecting consumer personal information at designated financial institutions (Covered Institutions). The Amendments substantially expand requirements for safeguarding customer information, including mandates to establish written incident response programs, notify customers of data breaches, implement additional service provider oversight and meet new recordkeeping requirements. The Amendments also broaden the scope of Covered Institutions to include all transfer agents, whether registered with the SEC or another appropriate regulatory agency. Large Covered Institutions – including SEC-registered investment advisers with $1.5 billion in assets under management, investment companies with $1 billion in net assets and all broker-dealers that are not small institutions under the Securities Exchange Act of 1934 – were required to be in compliance by December 3, 2025. All other covered institutions must comply by June 3, 2026. The Amendments’ changes pertaining to notice and incident response program requirements will prove particularly challenging for Covered Institutions, including investment advisers. In this guest article, Goodwin partner Kaitlin Betancourt examines those challenges and offers practical compliance guidance. Although large Covered Institutions already may have updated policies and procedures, this article highlights areas in which more preparation might be needed. See “What Regulated Companies Need to Know About the SEC’s Final Amendments to Regulation S‑P” (Aug. 22, 2024).