Let’s be honest—compliance rules rarely make for light reading. But if you’re a registered investment advisor (RIA), the 2024 amendments to Regulation S-P aren’t something you can skim and forget. They’re changing the way we protect client data—and more importantly, the way the SEC expects us to prove it.
So let me break it down for you. Simple. Clear. And in plain language.
What’s New in Reg S-P?
The SEC’s amendments modernize Regulation S-P to better reflect today’s cybersecurity threats. Here are the three biggest changes:
- Written Cybersecurity Policies: You now need formal, written policies addressing how your firm protects client data. Think of this as your blueprint for handling cyber risks.
- Customer Notifications: If there’s a data breach that might cause harm, you must notify affected clients within 30 days. The days of brushing incidents under the rug are over.
- Third-Party Oversight: You’re now on the hook for what your vendors do (or don’t do) with client information. That includes cloud storage, CRMs, custodians, and marketing firms.
Why Should You Care?
Because if something goes wrong—whether it’s a breach or just a missing document—the SEC isn’t going to take your word for it. They’ll want to see records. Policies. A paper trail. And if you don’t have it? Fines, penalties, or worse—a hit to your reputation.
This isn’t just about compliance. It’s about client trust. Your clients are entrusting you with their most sensitive financial data. These regulations make sure you’re treating that trust like the priceless asset it is.
What Counts as "Customer Information"?
Any nonpublic personal information—name, SSN, birthdate, account numbers—that your firm holds or that any vendor holds on your behalf. If it can identify a person and it’s not public, it counts.
The SEC now expects you to track this information closely. That means knowing:
- Where the data is stored
- Who has access
- What your vendors are doing with it
What Should RIAs Do Now?
- Review Your Current Policies – Are they documented, tested, and accessible?
- Create a Customer Information Inventory – Know where every piece of sensitive data lives.
- Assess Vendor Security – Make sure your third-party providers are up to par.
- Develop an Incident Response Plan – More on this in our next blog.
- Schedule Regular Reviews – Compliance isn’t set-it-and-forget-it.
The Bottom Line
If you’re not already treating IT like compliance, now’s the time to start. These rules aren’t going away—and your next audit could depend on how well you’ve prepared.
Want help building an IT compliance plan that’s Reg S-P ready? That’s what we do.
