Navigating the Evolving Cyber Landscape and Regulation S-P

Navigating the Evolving Cyber Landscape and Regulation S-P
Cybersecurity threats are intensifying—and the regulatory response is evolving just as quickly. In the May edition of NSCP Currents Live Webinar, speakers Amber M. Allen of Eversheds Sutherland, Bryan Smith of FINRA, and Pam Gelormini of MFS Investment Management, delivered a high-impact discussion on how compliance professionals can keep pace with today’s cyber threat landscape and prepare for the upcoming Regulation S-P amendments.

Key Highlights:

The Threats Are Evolving—and So Must We
From phishing to deepfakes, panelists outlined how cyber criminals are becoming more specialized, leveraging everything from AI-generated scams to third-party software vulnerabilities. Bryan Smith emphasized the sophistication of today’s attackers—many operating like Fortune 500 companies in structure and scale.

Rising Losses and Cybercrime-as-a-Service
Cybercrime caused an estimated $16.3 billion in losses in 2024, according to FBI reports. Criminal syndicates are increasingly organized, global, and adaptive. They specialize in everything from network infiltration to monetizing stolen data, requiring firms to take a similarly specialized and layered approach to defense.

Regulation S-P: What’s New and What You Must Do
The SEC’s updates to Reg S-P aim to modernize cybersecurity protocols for financial institutions. Highlights include:

• Mandatory incident response programs
• Customer breach notifications within 30 days
• Third-party oversight and 72-hour service provider notification expectations
• Expanded safeguard and disposal rules
• Recordkeeping and conforming Regulation S-P’s privacy notice delivery to the terms of an exception provided by the FAST ACT

Tabletop Exercises Are a Must
Pam Gelormini urged firms to regularly run tabletop exercises and customize incident response plans to reflect real-world responsibilities. She and Amber Allen also emphasized the importance of knowing your data landscape—so you can respond decisively in the event of a breach.

Compliance and Legal Intersection
The speakers reminded attendees that data breach reporting obligations vary by state, and AI-specific laws are emerging across jurisdictions. Firms should work closely with legal counsel to document how breach response decisions are made — especially under the new 30-day rule.

Final Word: Adaptability is Essential
From ransomware to quantum computing risks, the panel underscored the need for agility in compliance programs. As Bryan Smith put it: If we don’t compete with cybercriminals on specialization, we don’t have a shot.

To receive important information such as this and to stay informed on essential regulatory obligations and access expert guidance, join NSCP today to get access to NSCP Currents and stay up to date on issues that matter most for the financial services industry. Members can access the webinar here.

You can also be featured on an NSCP Currents Live webinar or in NSCP Currents, the lead compliance publication of the financial services industry. Find out how you can share your experiences, advice, and tried and tested strategies.