Regulation S-P: The SEC’s Latest Cybersecurity Mandate – What RIAs Need to Know

Regulation S‑P is an SEC rule designed to protect customer privacy and safeguard nonpublic personal information (NPI). It mandates that RIAs adopt written policies and procedures to protect sensitive client data from unauthorized access or use. These rules stem from the Gramm-Leach-Bliley Act (GLBA) and were recently updated in May 2024 to reflect modern cybersecurity threats.

The 2024 amendments to Regulation S‑P require:

• Written cybersecurity and incident response programs
• Client breach notifications within 30 days of detecting unauthorized access
• Oversight of service providers with breach notifications due within 72 hours
• Expanded scope to include transfer agents and third-party data
• Updated recordkeeping and data disposal obligations

These changes modernize outdated rules and enhance protection for client data in today’s digital environment.

• Large RIAs (≥ $1.5 billion AUM): Must comply by December 3, 2025
• Smaller RIAs (< $1.5 billion AUM): Deadline is June 3, 2026

These timelines give firms 18 to 24 months from the rule’s effective date to become compliant.

Your Written Incident Response Program must include:

• Detection and assessment of unauthorized access
• Scope evaluation and containment steps
• Recovery plans and system restoration
• Client notification protocols (within 30 days)
• Vendor breach monitoring and reporting (within 72 hours)
• Full documentation and post-incident reviews

This includes any information that could cause harm or identity theft if disclosed. Examples include:

• Social Security numbers
• Account usernames and passwords
• Biometric identifiers
• Driver’s license or passport numbers
• Financial account credentials
• Any combination of data that identifies a customer

RIAs must notify clients within 30 days of becoming aware of unauthorized access to sensitive customer data. Notification can only be delayed if the U.S. Attorney General requests it for national security or law enforcement purposes. Firms must retain documentation justifying delays or decisions not to notify.

Yes. Regulation S‑P now mandates written vendor oversight policies, including:

• Risk-based due diligence during vendor selection
• Breach notification requirements within 72 hours of discovery
• Ongoing monitoring and audit rights
• Formal contracts documenting compliance expectations

RIAs remain responsible for notifying clients—even if a vendor is at fault.

RIAs must retain the following records for 3 to 6 years, based on firm size:

• Written cybersecurity and incident response policies
• Breach logs and investigation summaries
• Copies of client notifications and related decisions
• Vendor contracts and oversight documentation
• Data disposal records and policy revisions

• Regulation S‑P: Focuses on protecting sensitive client data and notification obligations
• Cybersecurity Rule: Focuses on operational resilience and business continuity during cyber events

Together, they create a comprehensive compliance framework for RIAs managing digital risk.

Cyberattacks have increased dramatically since the rule’s original version in 2000. The 2024 update reflects:

• Rise in ransomware and credential theft
• Complexity of remote/hybrid work environments
• Need for faster breach response and client transparency
• Importance of third-party oversight and secure data disposal

The SEC aims to shift firms toward a “detect, respond, and recover” mindset.