Regulation S-P Amendments: Practical Considerations for Smaller Investment Advisers

Cybersecurity regulation of investment advisers has steadily intensified over the past decade. However, the 2024 amendments (the “Amendments”) to the U.S. Securities and Exchange Commission's (SEC or Commission) Regulation S-P represent some of the most consequential updates to the Commission’s investor data protection framework since the rule was originally adopted in 2000.

The Amendments modernize the rule to address the increasing scale and sophistication of cyber incidents affecting financial institutions. As then-SEC Chair Gary Gensler noted when announcing the rule, the Amendments are designed to ensure that “if you’ve got a breach, then you’ve got to notify.” ¹

For registered investment advisers (“RIA’s” or “advisers”), who are “covered institutions” ² under the Amendments, the rule’s real impact will not be the establishment of cybersecurity oversight itself, as most advisers already maintain information security policies and procedures. These advisers will be affected primarily by the requirements to respond to breaches, notify customers and oversee third-party vendors in ways that regulators can evaluate.

Large covered institutions were required to comply with the Regulation S-P 2024 amendments by December 3, 2025, while smaller covered institutions have until June 3, 2026.

If they haven’t, smaller advisers subject to the later compliance date should begin implementation now, because the compliance deadline is fast approaching. Proactive action is critical, particularly where compliance will require coordination with vendors or updates to internal policies, procedures, and workflows, to ensure readiness and avoid gaps at implementation. 

Incident Response Programs

Maintenance of a formal incident response program is the first significant structural change introduced by the Amendments. RIAs must adopt “reasonably designed” written policies and procedures to detect, respond to and recover from unauthorized access to or use of customer information.⁴

These procedures must include processes to:

• Assess the scope of an incident and identify affected systems and information⁵
• Contain and control the breach to prevent further unauthorized access⁶
• Notify affected individuals when sensitive customer information has been compromised⁷

The SEC notably avoided prescribing highly specific operational steps, instead allowing firms to tailor response programs to their particular circumstances. For smaller RIAs, however, the flexibility of this standard may create uncertainty about how examiners define “reasonably designed.”

Service Provider Oversight

Another major element of the Amendments concerns oversight of third-party vendors. Under the Amendments, covered institutions must maintain written policies and procedures reasonably designed to ensure that service providers:

1. Protect customer information from unauthorized access or use; and
2. Notify the adviser as soon as possible, but no later than 72 hours after becoming aware of a breach involving customer information systems maintained by the service provider¹⁰

Many smaller RIAs rely on external technology platforms such as administrators, custodians, cloud providers and customer relationship management (CRM) systems. Therefore, this provision effectively extends the adviser’s cybersecurity oversight obligations beyond its own internal infrastructure, a potential pain point for many smaller advisers.

A Key Implementation Challenge: Vendor Contract Limitations

The most straightforward way for RIAs to comply with the service provider oversight requirement is to incorporate explicit 72-hour breach notification provisions into vendor contracts.

In practice, however, many smaller RIAs rely on technology providers whose contracts are nonnegotiable or heavily standardized. Advisers could attempt to get written confirmation or quarterly attestations from their vendors, but doing so could prove just as difficult as amending agreements.

The SEC seems to acknowledge that advisers may not always have the leverage to compel contractual changes, particularly with large technology vendors. It modified the final rule by removing a requirement that advisers enter specific contractual provisions with service providers. The rule now requires policies and procedures “reasonably designed” to ensure service providers meet the rule’s expectations.

This update still leaves smaller advisers in a tricky spot, and they should expect examiners to assess whether the firm made meaningful efforts to oversee vendor cybersecurity practices.

Regulatory Considerations

Historical Enforcement Actions Related to Regulation S P Violations

Well before the 2024 amendments, the SEC repeatedly used Regulation S P to govern basic data protection through enforcement actions addressing deficient safeguards and oversight. Enforcement cases have focused on recurring compliance breakdowns, including the failure to implement written safeguards¹¹, weak device‑disposal and vendor controls that left unencrypted personally identifiable information exposed¹², inadequate email security and missing multifactor authentication that enabled account takeovers and delayed or misleading breach notifications¹³ and insufficient identity‑verification procedures that allowed impostors to access customer information.¹⁴ More recently, the SEC has emphasized firmwide control design and supervisory accountability across distributed branch networks¹⁵.

Taken together, these actions foreshadow the 2024 amendments by underscoring that advisers must maintain fit‑for‑purpose safeguard programs, demonstrate credible implementation and deliver accurate and timely incident communications.

As the Amendments take effect, every RIA legal and compliance professional’s favorite phrase— “Say what you do, and do what you say”—will carry renewed urgency. The SEC’s Division of Examinations explicitly prioritized compliance with Regulation S‑P and Regulation S-ID in its Fiscal Year 2026 Examination Priorities and it will likely test whether written policies are implemented in practice, particularly those regarding incident response and third‑party oversight.

Further, the SEC held two outreach events related to Regulation S‑P compliance and tailored to registrant size (one for large firms on September 25, 2025, and one for small firms on January 22, 2026) as part of its Compliance Outreach Program. The sessions were designed to brief advisers on the 2024 amendments, explain exam team expectations and notice/production mechanics and answer implementation questions, so advisers could prepare for the phased compliance dates.

Examinations will likely focus on whether policies and procedures are not only facially compliant, but also reasonably designed and effectively implemented. Examiners will expect contemporaneous documentation to support key decisions.

The following sections cover specific areas of the rule that examiners may focus on, as well as practical considerations to help advisers prepare for an examination related to Regulation S-P requirements.

Staff Interviews

During its outreach events, SEC staff emphasized that examinations will include targeted interviews across business, technology and compliance functions to assess how Regulation S‑P compliance looks in practice. These discussions will not be limited to compliance leadership and will often extend to personnel with daily responsibility for data protection, vendor management and incident response execution.

Advisers should expect examiners to speak with chief information officers, chief information security officers, chief technology officers, privacy and information‑security personnel, incident‑response leads and, in some cases, key third‑party service providers supporting cybersecurity or data hosting functions.

The SEC staff made clear that these interviews are intended to test alignment between written policies and operational reality, not to elicit perfect answers.

How to Prepare: Before the examination, conduct internal practice interviews across your compliance, IT and security teams to reveal any disconnect between expectations and execution. If gaps exist, it’s better to address them and document remediation than to assume the examinations will remain confined to the written rule text.

Incident Response Governance

Examiners may seek to trace a real or mock incident end‑to‑end and ask who decides (and when) that sensitive customer information was, or was reasonably likely to have been, accessed or used without authorization, with particular emphasis likely to be on documenting the adviser’s decision‑making process, rather than hindsight conclusions. Examiners will likely also focus on how your organization met the “as soon as practicable,” but no later than 30 days, notice deadline.

Advisers should expect scrutiny of how incident severity determinations are escalated, whether legal and compliance functions are appropriately involved and how advisers avoid undue delay while the facts are still being gathered. Examiners will also likely look for written documentation of the assessment, containment and notification decisions.

What to Have Ready: Incident response procedures, a timeline of decision points, copies of notices and tabletop results.

Service Provider Oversight

Policies must be reasonably designed to require providers to notify the adviser as soon as possible, but no later than 72 hours, after becoming aware of a breach in a customer information system they maintain. Examiners will likely ask for contracts or program standards reflecting that trigger, plus evidence of due diligence and ongoing monitoring (e.g., questionnaires, SOC reports, remediation tracking).

What to Have Ready: Your vendor inventory and risk rankings, the notice/escalation path per vendor and proof you monitor and follow up, not just check the box.

Data Mapping and Disposal

As a best practice to assess readiness, advisers should conduct an internal risk assessment related to technology/cybersecurity risk, controls, threats and vulnerabilities.

Because the customer information category now expressly includes data handled on your behalf by service providers, examiners may expect a current data map and flow narrative showing where the data lives (e.g., email, CRMs, custodian portals, file shares), who can access it, how access is restricted and monitored, how it’s protected and how it’s disposed of under the expanded Disposal Rule. In particular, advisers with decades of legacy customer records should reassess long‑standing data retention practices and evaluate whether continued retention is necessary for business, legal or regulatory purposes, or if such retention instead introduces avoidable cybersecurity and privacy risk.

Clear, documented retention schedules and destruction protocols—covering both electronic and physical records and extending to service providers—are important, as retaining obsolete or duplicative customer data can complicate incident response, expand the scope of potential harm and increase the likelihood that a cybersecurity incident triggers notification obligations. Stale or incomplete data maps undermine an adviser’s ability to assess risk, respond to incidents and determine whether notification obligations are triggered.

How to Prepare: System‑by‑system inventories, flow diagrams and retention/disposal records that cover both customer and consumer information.

Sources
¹SEC, Press Release No. 2024‑58, SEC Adopts Rule Amendments to Regulation S‑P to Enhance Protection of Customer Information (May 16, 2024).
²17 C.F.R. § 248.30(a)(4)
³Federal Register, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information (June 3, 2024).
⁴“Customer information” (17 C.F.R. § 248.30(d)(5)) means, with certain exceptions, any record containing nonpublic personal information as defined in the regulation, about a customer of a financial institution, whether in paper, electronic, or other form, that is in the possession of a covered institution or that is handled or maintained by the covered institution or on its behalf regardless of whether such information pertains to (A) individuals with whom the covered institution has a customer relationship or (B) to the customers of other financial institutions, where such information has been provided to the covered institution. A separate definition of “customer information” is provided for registered transfer agents.
⁵17 C.F.R. § 248.30(a)(3)(i).
⁶17 C.F.R. § 248.30(a)(3)(ii).
⁷17 C.F.R. § 248.30(a)(3)(iii).
⁸17 C.F.R. § 248.30(a)(4).
⁹17 C.F.R. § 248.30(d)(9)(i).
¹⁰17 C.F.R. § 248.30(a)(5).
¹¹Administrative Proceeding, File No. 3-16827, R.T. Jones Capital Equities Management, Inc. (Securities and Exchange Commission, September 22, 2015), https://www.sec.gov/files/litigation/admin/2015/ia-4204.pdf
¹²Administrative Proceeding, File No. 3-21112, Morgan Stanley Smith Barney (Securities and Exchange Commission, September 20, 2022), https://www.sec.gov/files/litigation/admin/2022/34-95832.pdf
¹³Administrative Proceeding, File No. 3-20490, Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (Securities and Exchange Commission, August 30, 2021), https://www.sec.gov/files/litigation/admin/2021/34-92800.pdf
¹⁴Administrative Proceeding, File No. 3-18840, Voya Financial Advisors, Inc. (Securities and Exchange Commission, September 26, 2018), https://www.sec.gov/files/litigation/admin/2018/34-84288.pdf
¹⁵Administrative Proceeding, File No. 3-22562, M Holdings Securities, Inc. (Securities and Exchange Commission, November 25, 2025), https://www.sec.gov/files/litigation/admin/2025/34-104255.pdf