On May 16, 2024, the SEC announced amendments to Reg S-P to modernize the framework governing the protection of consumers’ nonpublic personal information. The amendments reflect a simple regulatory reality: as financial institutions such as registered investment advisers increasingly rely on digital systems, vendors and interconnected data environments, legacy privacy controls are no longer enough. The amendments are designed to bring incident response, customer notification and information governance in line with the operational risks firms face today.
Registered investment advisers must now be prepared not only to safeguard client and investor information, but also to detect unauthorized access or use, contain incidents, document decisions and, where required, notify affected individuals on a compressed timeline. For many firms, this is not just a privacy update. It is a meaningful shift in how regulators expect institutions to prepare for and respond to real-world data incidents.
Why the Amendments Matter
Reg S-P has long required broker-dealers, investment companies and registered investment advisers to adopt written safeguards for customer information. The 2024 amendments expand and sharpen those obligations in several important ways. Firms are now expected to move beyond general cybersecurity concepts and adopt a documented, testable framework for how they assess, escalate, investigate and respond to incidents involving customer information.
The amendments require covered institutions to reassess their cybersecurity programs and maintain a written incident response program, broaden the scope of information protected by the safeguards and disposal requirements, and add more explicit recordkeeping obligations.
What Changed
A Written Incident Response Program: At the center of the amendments is the new requirement that covered institutions develop, implement and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information. The program must include procedures to assess the nature and scope of an incident, identify the systems and information involved, and take appropriate steps to contain and control the event.
Scope Expansion: The SEC broadened the scope of information covered by the safeguards and disposal requirements so that they apply not only to information about a firm’s own customers, but also to nonpublic personal information received from another financial institution about that institution’s customers.
At the same time, the amendments impose more explicit recordkeeping obligations. Covered institutions such as registered investment advisers must maintain written records documenting compliance with the safeguards and disposal requirements, including incident documentation, investigation records, determinations regarding whether notice was required, policies governing service provider oversight and relevant agreements with service providers. In other words, the SEC is not only requiring investment advisers to do more, but also to prove it.
Notification Obligations: Perhaps the most consequential feature of the amendments is the customer notification requirement. Covered institutions generally must notify affected individuals whose sensitive information was, or is reasonably likely to have been, accessed or used without authorization. In most cases, notice must be provided as soon as practicable, but no later than 30 days after the institution becomes aware that the incident occurred or is reasonably likely to have occurred.
A firm may decline to provide notice only if it determines, after a reasonable investigation, that the sensitive customer information has not been and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience. The exception is narrow; therefore, in most cases, that determination should be approached cautiously and documented thoroughly.
Service Provider: Covered institutions must establish, maintain and enforce written policies and procedures reasonably designed to require oversight of service providers, including due diligence and monitoring. Service providers must take appropriate measures to protect customer information and notify the firm of incidents within 72 hours of becoming aware of them. Importantly, the covered institution remains responsible for customer notification even where the incident originates with a vendor.
Reg S-P Compliance Timeline
The SEC established a tiered compliance schedule based on firm size. Larger entities had to comply by December 4, 2025, while smaller entities must comply by June 3, 2026. Larger entities include certain investment companies with at least $1 billion in net assets, SEC-registered investment advisers with at least $1.5 billion in assets under management, and broker-dealers and transfer agents that are not considered small entities for purposes of the Regulatory Flexibility Act.
For investment advisers that have not yet completed implementation work, the remaining window should be treated as a finalization period, not a planning period. Policies, escalation matrices, vendor provisions, tabletop exercises and documentation protocols should already be moving toward a mature state.
What Advisers Should be Doing Now – Focus on Cybersecurity
The most effective response to the Reg S-P amendments is not to treat them as a standalone privacy rule update. They should instead be integrated into the firm’s broader compliance, cybersecurity and operational resilience framework. Given the expanded requirements and compressed timelines, Silver has been working with clients to review and update their cybersecurity policies, incident response programs, vendor oversight practices, and privacy controls to ensure they can detect incidents promptly, protect client and investor data, and demonstrate compliance with the amended rule.
These controls also help firms better protect the broader ecosystem of entities connected to their operations, including portfolio companies, other private funds, and related investment vehicles which often share data, vendors, or technology infrastructure.
Cybersecurity Program – updating a firm’s incident response plan is essential. These amendments reflect the growing importance of strong cybersecurity and privacy practices in protecting client and investor information. As investment advisers increasingly rely on digital systems, cloud services, and third-party vendors, maintaining a mature cybersecurity program helps firms safeguard sensitive data, manage operational risk, and respond effectively to security incidents.
Vendor Oversight – assessing how client and investor information moves through the organization and through third parties. Requirements that hinge on whether sensitive client or investor information was accessed or used without authorization requires firms to know where that data resides, who can access it and which service providers touch it. This also requires firms to review their vendor due diligence and oversight process to ensure it rises to the level required of the amendments, including the monitoring of vendors’ cybersecurity programs.
Notification Procedures – testing notification decision process may be critical. A 30-day outside deadline can become very short very quickly when facts are uncertain, vendors are involved or internal responsibilities are unclear. Tabletop exercises and cross-functional rehearsals can help firms identify bottlenecks before they matter.
Recordkeeping – reviewing recordkeeping practices will help support compliance with the amendments. Under the amendments, documentation is not a “nice to have.” It is part of the compliance obligation itself. If an examiner asks how the firm handled an incident, why it decided notice was or was not required, or how it oversees vendors, the firm should be able to produce that record clearly and promptly.
The Bottom Line
The Reg S-P amendments reflect a broader shift in regulatory expectations: privacy and cybersecurity compliance are no longer judged only by whether an investment adviser has policies procedures on paper. They are judged by whether the firm can operationalize those policies under pressure, make defensible decisions quickly and show its work after the fact.
For investment advisers, the takeaway is straightforward. Reg S-P now demands a more disciplined approach to incident response, client and investor notification, vendor oversight and documentation. Silver’s Compliance and Cyber Compliance teams are helping clients treat these requirements as part of a broader governance strategy to be in a stronger position not only for compliance, but also for resilience when an incident occurs.
If you are working through Regulation S-P implementation or reassessing your incident response and oversight framework, Silver’s Compliance Team can help. Please reach out to a member of our team or contact us at [email protected].