Background

On May 16, 2024, the U.S. Securities and Exchange Commission (“SEC”) adopted amendments to Regulation S-P that significantly expand the safeguards and privacy requirements applicable to registered investment advisers and other financial institutions. The amendments modernize the rule’s requirements by expanding the types of information covered, requiring incident response programs, establishing customer notification obligations following certain data breaches, and enhancing oversight of service providers.

The compliance dates depend on the size of the adviser:

• Large entities (advisers with $1.5 billion or more in regulatory assets under management (“RAUM”)) must comply by December 3, 2025.
• Small entities (advisers with less than $1.5 billion in RAUM) must comply by June 3, 2026. 

RAUM is measured based on the firm’s most recent fiscal year-end.

Expanded Definition of Customer Information

The amendments broaden the scope of information protected under Regulation S-P. 

Customer information now includes any record containing nonpublic personal information (“NPI”) about a customer, whether in paper, electronic, or other form, that is in the adviser’s possession or handled on its behalf. Importantly, the safeguards and disposal requirements now apply to both: 

• NPI collected directly by the adviser, and
• NPI received from another financial institution.

The rule also provides that information about natural-person investors in private funds is considered customer information.

Sensitive Customer Information

The amendments introduce a new category of protected data known as “sensitive customer information.”

Sensitive customer information refers to customer information that either alone or in conjunction with any other information, could create a reasonable likely risk of substantial harm or inconvenience to an individual identified with the information if it were compromised.

Examples include information that could be used to authenticate an individual’s identity, such as:

• Social Security numbers
• Government-issued identification numbers (driver’s license or passport numbers)
• Taxpayer identification numbers
• Biometric records
• Unique electronic identifiers or routing codes
• Telecommunications identifying information or access device information

Sensitive customer information may also include account identifiers combined with authentication data, such as:

• Account number or username combined with a security code or password
• Account identifiers combined with partial Social Security numbers or other authentication information
• Security questions and answers
• Date of birth, place of birth, or mother’s maiden name

Incident Response Program Requirement

The amendments require advisers to adopt and implement written policies and procedures establishing an incident response program.

The program must be reasonably designed to detect, respond to, and recover from unauthorized access to or use of “customer information.”

As part of the response process, advisers must:

• Assess the nature and scope of the incident
• Identify affected information
• Take steps to contain and control the breach
• Implement measures to prevent future unauthorized access

The rule also emphasizes the importance of proper disposal of customer information, as failure to dispose of data appropriately could trigger breach notification requirements.

Service Provider Oversight

The amendments strengthen oversight requirements of third-party vendors.

A service provider includes any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information in connection with services provided to the adviser.

Advisers must exercise due diligence and ongoing monitoring of service providers.

Service provider agreements or other arrangements should provide reasonable assurance that the vendor:

• Maintains safeguards to protect customer information, and
• Notifies the adviser of a breach as soon as possible, but no later than 72 hours after becoming aware of it. 

Advisers should also maintain documentation of vendor due diligence and monitoring.

Customer Breach Notification Requirement

The amended rule establishes a new requirement for advisers to notify affected individuals following breaches involving sensitive customer information.

Notification must be provided as soon as practicable, but no later than 30 days after the adviser becomes aware of the breach, unless:

• The Attorney General determines notification poses a substantial risk to national security or public safety, or
• A reasonable investigation determines that the information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience (for example, if the data was encrypted).

If the adviser cannot determine which individuals were affected, notice must be provided to all customers whose information may have been compromised.

Service providers may deliver the notification on behalf of the adviser, but the adviser remains responsible for ensuring that the notification requirement is satisfied.

Required Contents of Customer Notifications

Breach notifications must be clear and conspicuous and provided by a means designed to ensure affected individuals can reasonably be expected to receive actual notice in writing.

The notice must include:

• A description of the incident
• The type of sensitive customer information involved
• The date or estimated date or date range of the breach
• Contact information for the adviser

Notices should also:

• Recommend that the individual change account passwords
• Recommend that the individual review account statements and immediately report suspicious activity
• Explain how to place fraud alerts
• Encourage individuals to periodically obtain free credit reports from each nationwide credit reporting company
• Provide information on obtaining a free credit report
• Include guidance from the Federal Trade Commission and USA.gov regarding identity theft and fraud reporting

Recordkeeping Requirements

The amendments impose new recordkeeping obligations related to the safeguards and incident response requirements. Advisers must maintain records documenting:

• Incident response, safeguards, and disposal policies and procedures
• Service provider oversight policies and related documentation
• Any detected incidents involving unauthorized access or use of customer information
• Investigations conducted to determine whether notification is required; the basis for notification determination; and copies of any notices sent
• Contracts or agreements with service providers

These records should document the adviser’s response to, and recovery from, any security incident.

Incident Response and Investigation

Following a suspected breach, advisers should conduct a reasonable investigation. What constitutes a reasonable investigation will depend on the specific facts and circumstances of the incident.

Relevant considerations may include:

• Whether the incident resulted from internal unauthorized access, external intrusion, or a third-party breach
• The method or vector of the attack
• The timeline and duration of the incident
• The specific customer information data involved and at what privilege level
• Whether data was copied, transferred, or retrieved without authorization 

Advisers should document the investigation and maintain evidence supporting any determination regarding whether customer notification is required.

Next Steps for Advisers

In preparation for the upcoming compliance deadlines, advisers should consider taking the following steps:

• Review and update incident response plans to align with the amended Regulation S-P requirements
• Develop or update breach notification templates
• Identify covered service providers and review service provider agreements to incorporate the 72-hour breach notification requirement. Either amend the agreements or obtain reasonable assurance of compliance by the vendor
• Update vendor due diligence and monitoring procedures
• Enhance recordkeeping procedures and retention schedules
• Confirm compliance with privacy notice delivery requirements

This information and definitions are only a summary of the amendments and new requirements of the amended Regulation S-P. Investment Advisers should not rely on this summary for compliance with the rule.

For more information regarding Reg S-P amendments, please contact: info@advisorsolutionsgroup.com