When scanning CIFS shares, does the scan need "write" permissions to reset the last access date, or is "read" credentials sufficient?

The last access date cannot be preserved on files which are write protected either by the read-only attribute or by a restrictive NTFS security permission: "Write Attributes".

Therefore scan user must have the "write attributes" permission and the file must not have the read-only attribute set.

DLP resets the last access date depends on the share and NTFS (folder) permissions. The more stringent of share permissions & NTFS permissions is applied.  So if share permission is read only then the users cannot modify  files in the folder even if the folder (NTFS) permissions allows you to do so.  Similarly, if the folder (NTFS) permissions is readonly, the user cannot modify the file even if the share permissions grant change or full control.

Resetting the last access date incurs additional overhead that may impact backup and archive performance. The last access date should be reset only if you are using another application, such as backup and archival application, that relies on accurate last access dates.