Sven Stricker

On May 16, 2024, the Securities and Exchange Commission (“SEC”) unanimously voted to adopt amendments to Regulation S-P (“Amended Regulation S-P”), which were proposed last year. Adopted in 2000, Regulation S-P governs the way SEC registered investment advisers (“RIAs”) (and certain other financial institutions) protect sensitive customer information such as social security numbers, names, phone numbers, and addresses. For an RIA that manages private funds this would include the protected information of the fund’s investors. Amended Regulation S-P expands protection of customer information and establishes standards for data breach notification and recordkeeping. 17 CFR § 248.30. Below, we outline a few key takeaways from Amended Regulation S-P as they apply to RIAs. The SEC’s Adopting Release can be viewed here.

Incident Response Program

Amended Regulation S-P requires RIAs to develop, implement, and maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information. These written policies and procedures must include a program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures. At a minimum, an incident response program must include the following procedures:


Assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization.

Containment and Control

Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information.

Notice to Affected Individuals

Notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The notice must be transmitted by a means designed to ensure that each affected individual can reasonably be expected to receive actual notice in writing.

Generally, an RIA must provide the notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.

The contents of the notice must include, among other things, the nature and date of the incident, the data involved, and means for the affected individuals to contact the RIA. Further, the notice must recommend that the affected individual periodically obtain credit reports from each nationwide credit reporting company and that the individual have information relating to fraudulent transactions deleted.

Oversight of Service Providers 

An RIA’s incident response program must also include written policies and procedures designed to provide oversight, including through due diligence and monitoring, of its service providers (broadly defined to include any third party that receives, maintains, processes, or otherwise is permitted to access customer information through its provision of services directly to an RIA).  Specifically, the policies and procedures must be reasonably designed to ensure that service providers (1) protect against unauthorized access to or use of customer information; and (2) notify the RIA as soon as possible, but no later than 72 hours after becoming aware of a security breach so that the RIA can timely notify affected clients and investors.

Although an RIA may require service providers to notify affected individuals on the RIA’s behalf regarding data breaches, the obligation to ensure that affected individuals are notified rests with the RIA.


Amended Regulation S-P also includes new recordkeeping requirements, which include creating and maintaining:

  • written documentation of any detected unauthorized access to or use of customer information, as well as any response to and recovery from such unauthorized access to or use of customer information required by the incident response program; 
  • written documentation of any investigation and determination made regarding whether notification to customers is required; 
  • written policies and procedures required as part of service provider oversight; and
  • written documentation of any contract entered into pursuant to the service provider oversight requirements.

Updates to Annual Privacy Notice

Current Regulation S-P requires that a “clear and conspicuous” notice of the RIAs privacy practices be provided to customers annually.  Amended Regulation S-P clarifies that this means at least once in every consecutive 12-month period. Nevertheless, the current exceptions to the annual notice requirement (including an exception if the RIA has not changed its policies and practices with respect to disclosing protected information since it last provided a privacy notice to its customers) remain in effect.

Compliance Period

Per the SEC’s Press Release, Amended Regulation S-P will become effective 60 days after publication in the Federal Register. Larger entities (RIAs with $1.5 billion or more in assets under management) will have 18 months after the date of publication in the Federal Register to comply with Amended Regulation S-P, and smaller entities will have 24 months after the date of publication in the Federal Register to comply.

Going Forward

To the extent RIAs do not currently maintain an incident response program, they should work on creating policies and procedures consistent with Amended Regulation S-P. Many RIAs will already have policies and procedures addressing data breach events. For example, many RIAs in Texas must already report data breaches to the Office of Texas Attorney General, if a data breach affects 250 or more Texans. In these cases, RIAs should review and update those existing policies and procedures to meet the compliance deadlines.

Covered institutions should also review their contracts with service providers and update those contracts as necessary to ensure service providers provide notice to the RIA as soon as possible after a data breach event, but no later than 72 hours after a service provider becomes aware of a data breach event.

Finally, RIAs should revisit their recordkeeping protocols surrounding data breach events to ensure those protocols record, maintain, and regularly update compliance efforts regarding amended Regulation S-P. 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.