Amendments to Regulation S-P

SEC IM Guidance
Written By Elizabeth Cope

Main Contributor: Elizabeth Cope, CPA, CSCP, CIPM, CEO & Lead Consultant

Background

In 2024, the SEC adopted amendments to Regulation S-P.  This is the rule that requires investment advisors to have written safeguards in place to protect client information and provide those clients with a written privacy notice.

The amendments to Regulation S-P now specifically require investment advisors to adopt a written incident response plan that lays out the steps taken in the event there is a security breach along with a 30-day notification requirement to impacted clients. Additionally, you are also required to adopt procedures for due diligence of your critical service providers and have reasonable assurances that your service providers with access to customer information are committed to reporting any breaches on their systems to your firm within 72 hours.

Effective Dates

For large advisors, with regulatory assets under management over $1.5 billion, the deadline to have the policies implemented is December 3, 2026. For all other advisors, the deadline is June 3, 2026.

What is Considered “Customer Information” Under the Amendment?

Under the 2024 amendments, customer information is defined as:

Any record containing nonpublic personal information about a customer of a financial institution, in any form (paper, electronic, etc.), that is:

  • in the possession of the covered institution, or

  • handled or maintained by the institution or on its behalf (e.g., by service providers).

This definition applies to all covered institutions, including SEC-registered investment advisers, broker-dealers, investment companies, and now transfer agents, who were previously only subject to disposal rules.

  • Non-public information includes:

  • Social Security numbers

  • Driver’s license numbers

  • Account numbers

  • Login credentials

  • Biometric data

  • Any data that can identify or authenticate a customer.

This includes customer information in your possession or handled on your behalf, even if the individual is no longer a client—or was never formally onboarded as one.

Summary of Updates That Need to Be Made

Incident Response Program

Your firm will need to adopt a written incident response plan, or if one is already in place, review and update, to be in line with the Regulation S-P amendments.  This plan will be required to include procedures as follows:

  • Events that trigger the plan

  • Procedures your firm will take to assess the nature and scope of the incident/breach

  • Measures your firm will take to contain and control the incident to prevent further unauthorized access

Notification Requirement

Within your incident response plan be sure to include the requirement to provide notifications to individuals whose sensitive customer information was compromised. This notice must be provided as soon as practical, but no later than 30 days after you become aware that access to sensitive information has occurred and results in substantial harm or inconvenience. Further, the rule outlines what information must be specifically addressed within the notice and requirements around how it is delivered.  

Sensitive customer information means any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information. The SEC doesn’t define substantial harm or inconvenience, but does provide factors to consider such as theft, fraud, harassment, physical harm, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the misuse of information identified with an individual to obtain a financial product or service, or to access, log into, effect a transaction in, or otherwise misuse the individual's account.

Service Providers

You will be required to have written policies and procedures around your oversight and due diligence of service providers, including the obligation of the service provider that has access to customer information to report to you within 72 hours of a breach within their systems. You are not required to meet the 72-hour requirement contractually, allowing you flexibility with how you obtain this assurance with your service providers.

Books and Records

Ensure your firm’s compliance documentation includes records of breach assessments, service provider communications, and client notifications. These records may be requested during future SEC examinations and must be retained for a period of five years following the fiscal year-end of use.

Conclusion

The 2024 amendments to Regulation S-P mark a significant shift in how investment advisers must approach data protection and breach response. With expanded definitions, stricter notification timelines, and heightened oversight of service providers, firms must take proactive steps to align their policies and procedures with the new requirements.

Now is the time to:

  • Review and update your incident response plan

  • Formalize breach notification protocols

  • Strengthen vendor oversight and documentation practices

By preparing timely, your firm can reduce regulatory risk, protect client trust, and demonstrate a strong commitment to cybersecurity and compliance. As always, SCS is here to help. Be sure to ask about the new Reg S-P amendment either on your next call or in an email to your SCS team! If you don’t yet work with SCS, feel free to contact us by clicking the button below to find out more.

Contact Us
Elizabeth Cope https://seccsllc.com/elizabeth-cope-bio
Next

Building a Culture of Compliance: Reframing Compliance