New Regulation S-P Amendments: Are You Prepared?
Regulation S-P, under the Gramm-Leach-Bliley Act (GLBA), requires broker-dealers, investment companies, and investment advisers to protect consumer financial information and inform customers about their privacy practices. Recent amendments modernize Regulation S-P to tackle evolving cybersecurity threats and technological changes since 2000.
Contract and vendor reviews may take months—if you want to meet compliance deadlines, start preparing now.
Three Key Changes You Need to Address Immediately:
1. Vendor Notification Within 72 Hours
Vendors must notify you within 72 hours if unauthorized access is detected on systems holding your client data. While major custodians likely already comply, smaller vendors might require significant lead time to renegotiate contracts or implement necessary procedures. Delaying could force difficult decisions about critical vendor replacements.
Begin vendor assessments and contract reviews now, particularly for:
- MSPs
- CPAs
- CRMs not specialized in financial services
2. Incident Response Triggers
Your Incident Response Plan (IRP) now triggers immediately upon any unauthorized data access incident—even minor or accidental ones. Updating and testing your IRP will take considerable effort and cross-functional coordination, so don't wait until the compliance deadline approaches.
Common new triggers include:
- Employees unintentionally accessing sensitive data
- Vendor notifications of unauthorized access, even without a confirmed breach
3. Comprehensive Logging Requirements
Under the amended Regulation S-P, you're required to notify individuals whose data may have been accessed unless detailed logs prove otherwise. Without comprehensive logging, you'll need to assume all data was compromised, vastly increasing notification obligations.
Implementing robust logging takes significant time and resources, so begin this work immediately to:
- Accurately determine affected individuals
- Minimize unnecessary notifications
- Efficiently demonstrate compliance to regulators
Action Steps to Start Today:
- Vendor Inventory: Identify and assess all vendors handling sensitive client data.
- Review Contracts: Ensure vendor agreements clearly state the 72-hour notification requirement.
- Implement Logging: Develop comprehensive logging to track unauthorized access effectively.
- Update and Test IRP: Define incidents clearly, assign team roles, document procedures, and regularly test response effectiveness.
Compliance Deadlines
| RIA Category | AUM Threshold | Compliance Deadline |
|---|---|---|
| Larger RIAs | ≥ $1.5 billion (AUM) | December 3, 2025 |
| Smaller RIAs | < $1.5 billion (AUM) | June 3, 2026 |
These amendments significantly impact your firm's data protection, vendor management, and incident response processes. Acting now ensures smoother compliance and fewer disruptions later.
CyberSecureRIA can help your firm navigate these changes proactively, including:
- Risk Assessments
- Policies and Procedures Development
- Vendor Due Diligence
- Vulnerability Assessments
- Cybersecurity Training
Start preparing today to avoid compliance challenges tomorrow.
👇🏻 Fill out the form to download the guide!
Want to talk?
Grab 30 minutes with us here:
