For registered investment advisers, staying compliant with SEC Regulation S-P is no longer just about providing privacy notices. The SEC's 2024 amendments significantly expanded the rule into a broader privacy and cybersecurity compliance framework. As of June 2026, all SEC-registered RIAs are expected to have these requirements operationalized.
This is Part 2 of our series on the new requirements. Part 1 can be found here:
4. Oversee Service Providers
RIAs must have policies and procedures to oversee vendors that access customer information. Service providers should:
- Protect customer information appropriately.
- Notify the RIA promptly of security incidents (many firms use contractual requirements such as 72-hour notification provisions).
Ongoing activities:
- Vendor due diligence before onboarding
- Periodic vendor reviews
- Review SOC reports and cybersecurity questionnaires
- Update contracts as needed
5. Continue Privacy Notice Compliance
RIAs must continue to comply with Regulation S-P's privacy notice requirements regarding:
- Collection of customer information
- Sharing practices
- Customer rights and opt-outs where applicable
Certain firms may qualify for exceptions to annual privacy notices if information-sharing practices have not changed and other conditions are met.
6. Properly Dispose of Customer Information
RIAs must continue to ensure that customer records are disposed of securely to prevent unauthorized access.
Examples:
- Secure shredding of paper records
- Certified destruction of electronic media
- Secure deletion procedures
