Rules Navigator

Sign in
Register

Are you ready for the new Reg S-P?

In this photo illustration, a hard drive is seen in the light of a projection of a thumbprint.
Photo: Leon Neal/Getty Images

Janaya Moscony | SEC3

3 min read
 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The amendments significantly expand expectations around incident response, customer notification, and service provider oversight.

Registered investment advisers should pay particular attention to the upcoming Regulation S-P changes.

Many RIAs operate with lean compliance teams, significant reliance on third-party technology platforms, and decentralized data environments. The amended rule directly targets those operational realities. Firms that assume vendor protections are sufficient, or that rely on informal internal processes, may find themselves exposed during examination.

Financial firms are now entering the final phase of compliance with the SEC’s amended Regulation S-P privacy rule. The amendments significantly expand expectations around incident response, customer notification, and service provider oversight, reflecting today’s cybersecurity realities and the operational risks that come with outsourced technology.

What was once a largely principles-based privacy rule is now a structured framework requiring documented, tested, and repeatable processes. Firms relying on informal practices or unwritten assumptions, particularly around vendor responsibility, face increased examination exposure.

Overview

In May 2024, the SEC adopted amendments to Regulation S-P to modernize safeguarding requirements for investment advisers, broker dealers, and other covered institutions. The changes were driven by the growth of cloud platforms, remote access environments, and increasingly complex cybersecurity events.

The amended rule introduces three major requirements:

  • a written incident response program;
  • a federal customer notification requirement within 30 days; and
  • enhanced service provider oversight.

Large firms were required to comply by December 3, 2025. All other covered firms must comply by June 3, 2026.

Regulatory direction

Regulation S-P has been in effect since 2001. However, the SEC determined that the original rule did not sufficiently address modern data-sharing environments or vendor driven risks.

The amended rule reflects what examiners have already been signaling for several years:

  • Informal processes are no longer sufficient;
  • Documentation must support decisions.
  • Firms remain responsible for customer data even when third parties are involved.

The SEC is not measuring firms by size. It is measuring whether policies are operational, consistently followed, and defensible in hindsight.

Determining your deadline

Covered firms must determine which compliance date applies based on objective criteria, including:

  • investment advisers with $1.5 billion or more in AUM;
  • broker dealers with $500,000 or more in net capital; and
  • investment companies with $1 billion or more in net assets.

Examiners may ask how the firm determined its deadline. That analysis should be documented and tied to the firm’s most recent Form ADV, FOCUS report, or other applicable filings.

State privacy alignment

The amended Regulation S-P framework aligns closely with established privacy regimes in Massachusetts and California. The underlying principles are consistent: Protect personal information, implement reasonable safeguards, prevent unauthorized access, and respond appropriately to breaches.

Firms that already maintain a Massachusetts compliant Written Information Security Program are often part of the way there. However, the federal 30-day notification requirement and certain state-specific obligations may require adjustments.

Written incident response programs

The most operationally significant change is the requirement to adopt and implement a written incident response program designed to detect, respond to, and recover from unauthorized access to or use of customer information.

The program must address detection, escalation, investigation, containment, notification decision-making, documentation, service provider coordination, and periodic testing.

In practice, this means firms must move beyond informal remediation. In a phishing or credential compromise event, the firm must document how access was evaluated, who participated in the assessment, whether notification was required, and what remediation steps were taken.

The SEC’s focus is not perfection. It is whether the firm has a repeatable process that functions in real time.

Federal customer notification requirement

If a firm determines that sensitive customer information was accessed or used in a manner triggering notification, affected individuals must be notified as soon as practicable, but no later than 30 days after that determination.

This requirement applies even when the incident originates with a vendor. If a service provider reports unauthorized access, the firm must assess impact and determine whether notification is required.

We are seeing firms lose valuable time during incidents simply because roles are not clearly defined. The 30-day clock leaves little room for internal confusion.

Service provider oversight

Outsourcing does not transfer regulatory responsibility.

Firms must take reasonable steps to ensure service providers safeguard customer information and report incidents promptly. That includes identifying vendors with access to sensitive data, risk-tiering them, documenting due diligence, and monitoring for red flags.

CRM breaches, cloud storage misconfigurations, and ransomware incidents involving document management systems are now common examination scenarios. In each case, the firm must demonstrate how it evaluated risk and made its notification decision.

Risk assessments: the starting point

Effective Regulation S-P programs begin with a structured risk assessment. Firms should understand what customer data they hold, where it resides, who has access, and what triggers escalation.

Assessments typically evaluate technology risk, human risk, vendor exposure, and regulatory impact. Many firms leverage established frameworks, such as NIST guidance, combined with tailored compliance documentation.

Monitoring and AI tools

Many firms are strengthening safeguards with monitoring technologies that flag unusual access patterns, prevent transmission of sensitive information outside of approved channels, and monitor vendor activity.

These tools enhance detection. They do not replace human oversight. Alerts must be reviewed, determinations documented, and supervisory accountability maintained.

When implemented correctly, monitoring systems improve both response time and examination defensibility.

Key takeaways

  • Regulation S-P now requires documented and tested programs.
  • Notification determinations must be timely and well supported.
  • Vendor oversight must be structured and documented.
  • Accountability applies regardless of firm size.
  • Preparation now reduces exam risk later.

Janaya Moscony and Leigh Wittick spoke to GRIP about how financial institutions can demonstrate compliance with the many components of Reg S-P. Listen to the audio.

Janaya Moscony, president, SEC3. As a former SEC regulator, Janaya has significant experience in the examination, implementation, and enforcement of securities regulations. Contact: janaya@sec3compliance.com

, , , , , , , , , , , ,