On May 16, 2024, the SEC adopted amendments to Regulation S-P that significantly expand cybersecurity and privacy obligations for registered investment advisers, broker-dealers, investment companies and other covered financial institutions. The new rules require firms to take specific steps to detect, respond to and recover from unauthorized access or use of client information—and the deadlines to comply are fast approaching.
- Larger entities, such as RIAs with $1.5 billion or more in assets under management, must comply by Dec. 3, 2025.
- Smaller entities have until June 3, 2026.
If your firm hasn’t started preparing, now is the time to take action. Advisers should begin reviewing their programs and ensure they have a clear plan to meet each of the amended rule’s key requirements.
A Checklist for Reg S-P Success
At Adviser Compliance Consulting (ACC), we’re working closely with clients to implement the necessary safeguards, redesign incident response procedures and ensure vendors are up to standard. These changes are significant—and waiting until Q4 2025 won’t cut it. To help your firm prepare, we’ve created the following checklist.
1. Create or Enhance Your Vendor Management Program
The amendments require covered institutions to adopt written policies and procedures governing due diligence and monitoring of service providers.
These policies must be reasonably designed to ensure service providers:
- Protect against unauthorized access or use of customer information.
- Notify the adviser within 72 hours of discovering a breach involving a system containing customer information.
Once notified, your firm must immediately initiate its incident response process. This 72-hour window is tight—especially for smaller firms—so you’ll need to confirm with each provider that they can meet it. One best practice is to include these requirements directly in your service provider agreements.
Also worth noting, the definition of a “service provider” is broad. It includes any entity that receives, maintains, processes or accesses customer information—including affiliates. Most vendor management programs will need to expand significantly to meet the new standard.
2. Build or Update Your Incident Response Program
Under the amended rule, firms are required to maintain a written incident response program. This program must include procedures to:
- Detect unauthorized access
- Prevent additional compromise
- Respond to the incident
- Recover from the event
Even if your firm already has a plan in place, it likely needs revision. The SEC is looking for specificity, operational readiness and documented procedures—not generic language.
3. Prepare for the Customer Notification Requirement
If there’s unauthorized access or use—or even a reasonable likelihood that it occurred—firms must notify affected individuals within 30 days.
This step will challenge many firms. Now is the time to formalize:
- What triggers a notification
- How you assess harm
- Who approves the communication
- What the notification says and how it’s delivered
These processes should be fully documented in your written policies and procedures.
4. Strengthen Recordkeeping and Safeguards Compliance
The amended rule enhances the Safeguards Rule and adds new recordkeeping obligations.
For RIAs, records must be retained for five years, with the first two readily accessible. Covered records include:
- Written policies and procedures
- Documentation of detected unauthorized access and the firm’s response
- Evidence supporting the firm’s determination to notify (or not notify) clients
- Written agreements with service providers
Transfer agents and other covered institutions should also review their broader data retention policies in light of these updates.
How ACC Can Help
The four components above are now legally required under amended Reg S-P, but they also represent core best practices for a modern cybersecurity compliance program. Getting them right is not just about passing an SEC exam—it’s about protecting your firm and your clients from real operational and reputational risk.
ACC offers full support for Reg S-P compliance, including:
- Policy and procedure development
- Vendor contract review and remediation
- Incident response plan development
- Breach notification readiness
- Regulatory filing support and documentation
Our team of compliance and cybersecurity specialists can help you meet the rule’s requirements confidently and on time.
Don’t wait until the deadline is weeks away. Contact us now to build a program that protects your firm and your clients.
