On May 15, 2024, the SEC adopted amendments to Regulation S‑P, adding new obligations for registered investment advisers, investment companies, broker‑dealers (including funding portals), and transfer agents. ERAs and private funds remain subject to the FTC’s Regulation P and Safeguards Rule and therefore are not covered by the amendments.
The compliance deadline for “Smaller Entities” is June 3, 2026. Smaller Entities are defined as those with less than $1.5 billion in assets under management (AUM). The deadline for “Larger Entities” has already passed, as these firms were required to comply by December 3, 2025.
Entities that have not yet taken action should now revisit their information security policies and procedures to align them with the new obligations.
S&K Resources
Seward & Kissel offers a number of resources for entities seeking to comply with the amendments:
- Model Compliance Manuals and Procedures for both smaller and larger advisers;
- Service Provider Worksheet to help advisers determine their service provider oversight obligations; and
- Publications and Webinars: Our prior coverage of the Regulation S‑P amendments is available here, and our most recent webinar can be accessed here. For a broad discussion of adviser data requirements, please see our compliance obligations overview.
Overview of the New Requirements
The amendments introduce the following key requirements for covered entities:
- Incident Response Program
Advisers must implement and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. “Customer information” is any record containing nonpublic personal information about a customer of a financial institution regardless of whether such information pertains to clients of the adviser or customers of other financial institutions.
- Customer Notification
An adviser must provide clear and conspicuous notice to affected individuals within 30 days of any data security incident involving “sensitive customer information” that could cause significant harm or inconvenience to those individuals. “Sensitive customer information” is any component of customer information alone or in conjunction with any other information that, if compromised, could create a reasonably likely risk of substantial harm or inconvenience to an individual. Examples include a social security number, a biometric record, account number, account credentials, password, etc.
- Service Provider Oversight
Incident response programs must include written policies and procedures to oversee service providers in possession of customer information through due diligence and ongoing monitoring. These policies and procedures must be reasonably designed to confirm that service providers implement adequate safeguards to protect customer information and notify the adviser as soon as possible, and no later than 72 hours after becoming aware of a breach.
- Recordkeeping
Advisers must keep written records showing they have safeguards for customer information, document any breaches and related investigations or notifications, and maintain policies for service provider oversight and proper disposal of consumer report information.
- Annual Privacy Notices
The amendments codify existing SEC guidance that allows advisers to forgo annual privacy notices if they do not share nonpublic personal information with non‑affiliates (other than under limited exceptions without opt‑out rights) and have not changed their privacy policies since the last notice.
Seward & Kissel will also be hosting a webinar on March 27, 2026, to discuss these amendments in greater detail. Register here.
Please contact an attorney in the Investment Management Group at Seward & Kissel LLP if you have any questions regarding Regulation S-P.