Regulation S-P New Rules Are Coming

The Regulation S-P, or Reg S-P, was originally enacted in 2000 by the SEC, with “S” standing for safeguarding, and the “P” for privacy. Over time, as we all know, cybersecurity crimes have surged, and for this reason, the SEC has updated the Reg S-P to deal with the digital threats.

The amendments that were adopted apply to covered institutions[1], and will be effective by December 3, 2025 for larger entities (e.g., Registered Investor Advisers with $1.5 billion or more in AUM, Investment Companies with over $1 billion in AUM, and Broker-Dealer and Transfer Agents that are not smaller entities), and other covered institutions, which are smaller entities are subject to the new rules on June 3, 2026.

So, what does this mean and when do we need to do things under the new rules? Here is a summary of some of the upcoming new rules:

Drafting Policies and Procedures

Policies and Procedures must be drafted for Incident Response Programs, which need to detect and respond to unauthorized access to customer data, be designed to oversee and monitor service providers, and must notify customers when their information has been accessed or used without authorization. Drafting these Policies and Procedures will likely take the most time to make sure the content covers the amendment’s 348 pages.

Notification Requirements

If sensitive customer information is accessed or used without authorization, Firms must notify affected individuals as soon as practicable, but no later than 30 days after discovery. Notification may be delayed upon written request from law enforcement, and such requests must be documented.

Recordkeeping and Annual Notices

Firms shall maintain written records for at least five years, including current and historical records, versions of policies and procedures, incident investigations, customer notifications, service provider oversight documentation, and disposal logs. Version control and annual reviews are required to ensure ongoing compliance.

Strengthened Service Provider Oversight

Firms must enter into agreements requiring service providers to:

• Maintain appropriate safeguards;
• Notify the Firm of incidents promptly;
• Provide information needed for the Firm to meet its regulatory obligations; and
• Cooperate with investigation and remediation efforts.

Conduct Training

• Conduct periodic testing of security controls, including, as appropriate on a risk basis, penetration tests, and vulnerability scans, with such frequency commensurate with the level of perceived risk;
• Perform tabletop exercises simulating data breach scenarios to validate response protocols; and
• Provide mandatory training for all employees on privacy, cybersecurity, and incident reporting obligations.

In short, there will be several changes in the procedures and processes for most RIAs in 2026. As we go through the Holiday season, our focus will first be on the Annual ADV Amendments, which will generally conclude in March. Afterwards, we will work on the new procedures. However, it may make sense not to wait as these rules will have a lot of impact. And, as experience has shown us, our regulators expect conformity rather soon. Please feel free to contact us when you are ready to tackle these rules.

[1] “Covered Institutions” refers to broker-dealers, investment companies, SEC-registered investment advisers, funding portals, and transfer agents.