Regulation S-P: The SEC’s Latest Cybersecurity Mandate – What RIAs Need to Know

The SEC’s Regulation S-P amendments require firms to:

• Implement a documented incident response program
• Notify affected clients within 30 days of discovering a breach or likely compromise
• Conduct ongoing oversight of third-party vendors that access client data
• Expand and document data protection and disposal procedures
• Maintain detailed records of incidents, notifications, and vendor reviews

Regulation S‑P, first adopted in 2000, enforces SEC privacy protections for customer data under the Gramm-Leach-Bliley Act. It requires RIAs and broker-dealers to establish written policies to protect nonpublic personal information (NPI), ensure its secure disposal, and manage breach notifications.

As of May 2024, the SEC updated Regulation S‑P to include modern cybersecurity expectations:

• Mandatory written cybersecurity and incident response policies
• Client breach notifications within 30 days of discovering unauthorized access
• Expanded scope to include transfer agents and third-party data
• Vendor breach notifications within 72 hours
• Enhanced recordkeeping for policies, incidents, notifications, and vendor agreements

Read the official SEC final rule here.

• Larger RIAs (AUM ≥ $1.5 billion): compliance required by December 3, 2025
• Smaller RIAs (AUM < $1.5 billion): deadline is June 3, 2026

All SEC-registered RIAs must align with these requirements by the respective deadlines.

Your policies should be designed to detect and respond to unauthorized access and should cover:

• Risk assessment and continuous monitoring
• Incident detection, containment, and recovery processes
• Secure data disposal procedures
• Vendor oversight and due diligence
• Protocols for notifying clients and service providers about breaches

You must notify affected individuals within 30 calendar days after you learn of (or suspect) unauthorized access to sensitive customer information. Sensitive data includes:

• Social Security numbers, passports, driver’s license numbers
• Login credentials tied to financial data
• Biometric identifiers and other data that could lead to harm if compromised

Notification may only be delayed if the U.S. Attorney General provides a written exception for reasons of national security or public safety. In all other instances, the 30-day notification requirement must be met.

RIAs must:

• Conduct due diligence when selecting vendors
• Include security and breach-reporting clauses in contracts
• Require vendors to notify your firm within 72 hours of a breach
• Retain vendor records and related documentation for at least 3–6 years

Maintain documentation for at least 3 to 6 years, including:

• Written cybersecurity policies and procedures
• Incident logs, investigation summaries, and recovery actions
• Copies of client notifications and rationale for those actions
• Vendor oversight documentation, such as agreements and reports
• Data disposal records for customer and third-party information

• Regulation S‑P centers on data protection and customer notification
• The Cybersecurity Rule addresses resiliency, incident governance, and ongoing monitoring

Together, these regulations form a comprehensive cybersecurity framework for RIAs.

Follow these steps:

1. Conduct a cybersecurity gap analysis
2. Draft or update written policies and incident response protocols
3. Create client notification templates
4. Implement vendor oversight and breach-reporting processes
5. Perform tabletop incident-response exercises with staff
6. Strengthen data disposal procedures to meet the expanded scope