On May 16, 2024, the U.S. Securities and Exchange Commission (the “SEC”) issued a final rule amending Regulation S-P, to make it more protective of an affected individual’s nonpublic information (the “Amendment”).  The Amendment has two effective dates, between 2025 and 2026, contingent on the size of the company. The Amendment is designed to modernize and enhance the protection of consumer financial information by: (1) requiring covered institutions to develop, implement and maintain written policies and procedures protective of a consumer’s sensitive, nonpublic information, (2) requiring covered institutions to maintain an incident response program that timely notifies affected individuals of unauthorized use of customer information; and (3) broadening the scope of information covered under Regulation S-P.

Background on Regulation S-P

Originally adopted in 2000, Regulation S-P required broker-dealers, investment companies, registered investment advisers, and transfer agents to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. 

Recent changes to Regulation S-P are aimed at further protecting consumer information by preventing unauthorized access. For investment advisers, compliance with Regulation S-P and its amendments are crucial to ensure a consumer’s sensitive information remains protected.

What about Regulation S-P has changed and how can SEC-registered investment advisers comply with these changes?

Regulation S-P and its most recent Amendment impact covered persons including SEC-registered investment advisers. They do not, however, affect exempt reporting advisers or state-registered advisers.

1. Incident Response Program

Advisers will be required to establish an incident response program. The incident response program should be reasonably designed to identify, detect, and respond to any unauthorized access to a consumer’s nonpublic information. Further, the incident response program must establish, maintain and enforce written policies and procedures reasonably designed to provide oversight through diligence and monitoring of service providers.  

• Customer Notification Requirement

When an affected individual’s nonpublic, sensitive information has been, or is reasonably likely to have been, accessed without authorization, advisers will be required to notify affected individuals. The following requirements apply:  

• Notice shall be provided as soon as practicable, but not later than 30 days after investment advisers become aware the unauthorized access occurred or is reasonably likely to have occurred.
  • Notices must include details regarding the incident, the breached data, and guidance on how affected individuals can protect themselves.
  • If the adviser determines that the breached sensitive information has not been, or is not reasonably likely to be, used in a manner that would inflict substantial harm or inconvenience upon the affected individual, then notice to the affected individual is not required.
  • Notice to the affected individual may be delayed if the SEC receives a written request from the Attorney General that such notice poses a substantial risk to national security or public safety.

• Additional Changes and Considerations under Regulation S-P Relevant to Investment Advisers:
• The “customers” or affected individuals subject to the protections of Regulation S-P are defined in the Regulation S-P adopting release as “a consumer who has a relationship with you” and, under the Amendment, has been expanded to include confidential client information of customers from another financial institution. For investment advisers, the rule does not limit the scope of a customer or affected person to solely natural persons, thus, an entity may be an affected person.
• Investment advisers should create and maintain written policies documenting compliance with data protection and proper disposal.
• Regulation S-P’s annual privacy notice delivery provisions have been conformed to the terms of an exception added by the Fixing America’s Surface Transportation Act (the “FAST Act”). Under the FAST Act, a financial institution that meets the requirements for the annual privacy notice exception will not be required to provide annual privacy notices “until such time” as that financial institution fails to comply with the conditions of the exception, but it does not specify a date by which the annual privacy notice delivery must resume.

Compliance Dates

Compliance with the Amendment to Regulation S-P is required by December 3, 2025, for large SEC-registered investment advisers with $1.5 billion or more in total assets under management, and by June 3, 2026 for all other SEC-registered investment advisers.  

If you have questions about Regulation S-P and how it may impact your investment advisory practice, please contact a Rich May attorney.

Disclaimer: This summary is provided for educational and informational purposes only and is not legal advice. Any specific questions about these topics should be directed to attorney(s) Yelitza Montesino and/or Diana Alsabe.

© 2025 by Rich May, P.C. and Yelitza Montesino and Diana Alsabe. All rights reserved.