Introduction
Cyberattacks aren’t just an IT problem anymore—they’re a boardroom problem. And now, with the U.S. Securities and Exchange Commission (SEC) rolling out new cybersecurity rules, they’re squarely a regulatory problem too.
In 2025, the SEC finalized significant updates to Regulation S-P, a privacy rule aimed at tightening data privacy and incident response obligations for broker-dealers, investment advisors, and fund managers. These changes raise the bar on how financial institutions must prepare for, respond to, and disclose cyber incidents.
Even if you operate outside the U.S., these moves signal a global trend: tighter scrutiny on how financial data is protected and how breaches are reported. Similar frameworks are emerging everywhere, from Europe’s Digital Operational Resilience Act (DORA) to Kenya’s Data Protection Act (DPA).
What’s Changed Under the New SEC Rules?
At the core of the updates exists three big shifts:
1. Mandatory Incident Response Programs
- Firms must now have documented plans detailing how they’ll detect, respond to, and recover from cybersecurity incidents no more vague policies.
2. 30-Day Breach Notification Requirement
- If sensitive customer information is compromised, affected clients must be notified within 30 days which is a very clear, enforceable timeline.
3. Heightened Third-Party Oversight
- You’re responsible not only for your systems, but also for how your vendors protect client data. This includes ensuring third parties meet your compliance and security standards.
The bottom line in this matter is regulators want to see that financial institutions can prove at any time that they’ve actively prepared for cyber threats and can minimize damage if or more likely, when an incident occurs.
Why Should Kenya’s and Africa’s Financial Firms Care?
Because regulation doesn’t stop at borders. Global banking partners and investors are increasingly demanding proof of incident readiness and robust data protection. Kenya’s Office of the Data Protection Commissioner (ODPC) is also enforcing tighter breach notifications and audits.
Failing to meet international standards could jeopardize cross-border deals, raise compliance costs, or even block market access.
5 Practical Moves to Get Ahead
Below I break down 5 the best approach I deem to be progressive for responsible entities to be aware of in regards to these global shifts:
1. Develop or Update Your Incident Response Plan (IRP)
- Your IRP should clearly lay out detection, containment, eradication, recovery, and communication steps. It should be tested regularly not just sit on a shelf.
2. Map and Secure Customer Data
- Know exactly where customer data lives, who accesses it, and how it’s protected. This speeds up both incident containment and regulatory reporting.
3. Enforce Strong Vendor Contracts and Audits
- Third-party breaches are still your responsibility. Include cybersecurity clauses in contracts and perform regular vendor assessments.
4. Implement Automated Breach Detection and Reporting Tools
- Tools that flag anomalies, log suspicious activity, and even prepare draft notifications help meet tight deadlines like the SEC’s 30-day rule.
5. Run Tabletop Exercises
- Simulate attacks with your team through a breach scenario to expose gaps in your plan and communication flows.
Conclusion
Regulatory compliance and cybersecurity are no longer separate tracks. The SEC’s new rules are a wake-up call to secure customer data, plan for breaches, and prepare to prove it.
Even for Kenyan financial institutions that don’t directly fall under U.S. jurisdiction, the global tide is moving this way. Staying ahead of compliance isn’t just about avoiding fines, it’s about building trust with clients and partners who need assurance that their data is safe.
Comments (0)
No comments yet. Be the first to comment!