For registered investment advisers, staying compliant with SEC Regulation S-
P is no longer just about providing privacy notices. The SEC's 2024 amendments
significantly expanded the rule into a broader privacy and cybersecurity compliance
framework. As of June 3, 2026, all SEC-registered RIAs are expected to have these
requirements operationalized.
Ongoing Compliance Requirements
1. Maintain a Written Information Security Program
RIAs must continue to maintain policies and procedures reasonably designed to protect
customer information from unauthorized access, use, or disclosure. This includes
administrative, technical, and physical safeguards.
Key activities to consider:
- Annual policy reviews
- Risk assessments
- Access control management
- Data classification and protection
- Employee security awareness training
2. Maintain and Test an Incident Response Program
The amended rule requires a formal written incident response program designed to:
- Detect security incidents
- Assess affected systems and data
- Contain and eradicate threats
- Recover operations
- Determine whether customer notification is required
Best practices:
- Conduct tabletop exercises at least annually.
- Update the plan after incidents or significant changes.
3. Meet Customer Notification Requirements
If sensitive customer information is accessed or used without authorization (or is
reasonably likely to have been), and customer harm might ensue, the RIA must notify affected customers generally no later than 30 days after becoming aware of the incident,
unless a limited exception applies.
Key activities to consider:
- Have pre-approved notification templates.
- Establish an internal escalation process.
- Document notification decisions and investigations.
