The Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P in May 2024, significantly expanding privacy, data security and breach notification obligations for “covered institutions,” which includes SEC-registered investment advisers (RIAs). These changes are particularly time-sensitive for “large” RIAs, defined as those with $1.5 billion or more in assets under management, which must comply by December 3, 2025. “Small” RIAs, with less than $1.5 billion in assets under management, have until June 3, 2026.
Expanded scope of protected information
The definition of “customer information” under Regulation S-P is broadened to include any record containing nonpublic personal information about a customer of a covered institution. The definition includes “personally identifiable financial information” and more broadly encompasses “any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using” nonpublic personal information.
Regulation S-P applies to customer information regardless of whether the customer information relates to individuals with whom the covered institution itself has a relationship, arguably requiring notification to individuals if the covered institution is processing that information on behalf of another entity.
Incident response program
Covered institutions must implement a written incident response program in order to detect, respond to and recover from security incidents impacting customer information. At a minimum, the program must include written policies or procedures that help the covered institution to:
- Assess the nature and scope of an incident to determine whether there was any unauthorized access to or use of customer information.
- Contain and control the incident.
- Notify impacted individuals of the incident.
The incident response program should be commensurate to the covered institution’s size, operations and data processing activities.
Federal breach notification standard
The amendments establish a federal breach notification standard. Under Regulation
S-P, covered institutions must provide clear and conspicuous written notice to each affected individual whose sensitive customer information was – or is reasonably likely to have been – accessed or used without authorization. Regulation S-P defines sensitive customer information broadly as any customer information “the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information,” unlike other data breach regulations, which define specific data elements that are considered to trigger notification obligations.
This notice must be provided as soon as practicable, but no later than 30 days after becoming aware of the incident, except under certain limited circumstances where the US attorney general determines that the notice poses a substantial risk to national security or public safety and notifies the SEC of such determination.
The notification to individuals must include:
- A description of the incident and the types of data involved.
- Recommended steps individuals can take to protect themselves (e.g., placing fraud alerts, obtaining credit reports).
- Resources from the Federal Trade Commission on protecting oneself from identity theft.
- More than one method for the customer to contact the covered institution.
One of the most notable provisions of Regulation S-P is the requirement to notify all individuals whose sensitive customer information resides on the covered institution’s system that was subject to unauthorized access, if the covered institution cannot determine which individuals’ sensitive information was subject to unauthorized access.
Notification is not required if the sensitive information was not subject to unauthorized access or use, or if the RIA determines after conducting a reasonable investigation that the sensitive customer information has not been and is not reasonably likely to be used in a way that would result in substantial harm or inconvenience to the customer.
Service provider oversight
Incident response programs must contain written policies and procedures that address due diligence and ongoing monitoring of service providers who have access to customer information.
These policies and procedures must require the service provider to:
- Take reasonable measures to protect against unauthorized access or use of customer information.
- Notify the RIA as soon as possible, and no later than 72 hours, after becoming aware of a breach involving customer information processed by the service provider.
RIAs may contract with service providers to send customer notices on their behalf, but the RIA remains ultimately responsible for ensuring timely and compliant notification.
Data disposal requirements
Under the amendments, covered institutions must have written policies and procedures addressing data disposal and take reasonable measures to securely dispose of customer information.
Recordkeeping requirements
Covered institutions must maintain written records documenting compliance with Regulation S-P. This includes:
- Policies and procedures implementing Regulation S-P’s requirements.
- Documentation of incidents and the covered institution’s incident response.
- Records of incident forensic investigations and the covered institution’s determinations regarding notification of individuals.
- Copies of any notices sent to individuals.
- Documentation related to service provider diligence and oversight.
These records must be retained for five years, with the first two years in an easily accessible format.
Annual privacy notice exception
The amendments codify the Gramm-Leach-Bliley Act (GLBA) exception to annual privacy notices. RIAs are exempt from delivering annual privacy notices if:
- They have not changed their data privacy and disclosure practices.
- They only share nonpublic personal information with nonaffiliates under an applicable exception.
What registered fund managers should do by December 3, 2025
For “large” registered fund managers, the practical implications are clear – and urgent. By the compliance deadline, managers should be prepared to:
- Demonstrate a fit-for-purpose incident response program.
- Implement breach notification workflows that meet the 30-day timeline and content requirements.
- Map and vet service providers and require service providers to notify covered institutions of data breaches within 72 hours.
- Apply expanded data disposal safeguards.
- Update recordkeeping practices.
Need help?
If you would like assistance operationalizing these requirements across policies, vendor oversight, templates and training, please reach out to your Cooley contact to be connected with our cyber/data/privacy practitioners.