The Rundown
If you’re a registered investment adviser (RIA), you are (or will soon be) subject to new regulations from the SEC focused on keeping customer information secure. Regulation S-P requires firms to have an incident response plan (IRP) and a notification process for breaches involving customer data.
Originally adopted by the SEC in 2000, Regulation S-P, or simply Reg S-P, added requirements for registered investment advisers (RIAs) regarding the privacy and safeguarding of customer information. The 2024 amendment to Reg S-P provides additional requirements to ensure that RIAs take proper measures to protect sensitive data and to notify customers promptly in the event of a breach.
Following Reg S-P’s June 2024 update, RIAs with over $1.5 billion AUM were given 18 months to comply (due December 3, 2025). RIAs with under $1.5 billion AUM have 24 months to comply (due June 3, 2026).
You can view complete information, including a fact sheet and the full text of Reg S-P, on the SEC’s website. The SEC also hosted an educational webinar for small firms in early 2026.
Historically, the SEC has used vague language for most requirements, giving SEC examiners more flexibility during enforcement. Reg S-P breaks from this tradition. Though there is still some ambiguity, it mentions specific elements that make it easier to understand the SEC’s expectations.
SEC examiners are looking for written policies and procedures that assess the nature and scope of an incident; take steps to contain and control an incident; and provide notice to affected individuals.
From a practical standpoint, we’ve identified four key actions that RIA firms should complete to comply with Reg S-P:
Reg S-P codifies the need for a formal incident response plan to detect, respond to, and recover from cybersecurity incidents. In other words, an IRP records the precautions you’re taking to stay safe and lays out your game plan for what to do when something goes wrong.
Your IRP should cover:
As part of a comprehensive IRP, you’ll need to document risks to your firm’s operations. This can be formatted as a table, a written report, or a risk register.
Though the SEC does not require firms to follow a specific framework, the general wisdom—and as implied by SEC resources—is that following any common framework is a good idea. Widely adopted frameworks for cybersecurity standards include NIST CSF, ISO 27001, and CIS Controls.
Regardless of the format or framework you use, at a minimum, you should document all risks (large and small) and evaluate these factors for each:
For Reg S-P compliance, simply having an IRP isn’t enough; they expect you to do more than kick the tires. SEC examiners will want to see evidence that your organization is actually capable of carrying out the actions outlined in your response plan.
The most common way to test your policy for gaps is through a tabletop exercise, allowing the team outlined in your IRP to do a dry run of responding to an incident. During a tabletop exercise, a facilitator presents a disruptive scenario, such as a ransomware attack. Team members role-play how they would inform stakeholders, contain the incident, and recover from the scenario, using IRP documentation as a guide.
Tabletop exercises can highlight process gaps, knowledge gaps, and unintended consequences of response actions. After the exercise, facilitators grade the results and provide feedback for improvement. To learn more about tabletop exercises, read our explainer Understanding Tabletop Exercises.
Under Reg S-P, advisers must notify individuals as soon as is practicable, within 30 days, if sensitive customer information has been accessed or used without authorization. RIAs must have a documented process for drafting communications, gathering contact information, and alerting impacted individuals. These notices should include details about the incident, the data accessed, and how individuals can protect themselves.
As defined by the Code of Federal Regulations, sensitive customer information means any customer information that could “create a reasonably likely risk of substantial harm or inconvenience” for the associated individual. Examples include Social Security numbers, driver’s license numbers, passport numbers, and account numbers or usernames. Refer to 17 CFR 248.30(d)(9) for a complete definition.
If any of your service providers or vendors have access to sensitive information, they are also required to notify you of a security breach within 72 hours. (Once informed, you must still notify customers as soon as is practicable, but no later than 30 days)
Importantly, Reg S-P provides some leeway in accomplishing this. You don’t necessarily need to sign a separate agreement, though some may prefer to do so. Either way, examiners want to see that your policies and procedures are “reasonably designed” to ensure compliance from vendors. Based on your vendor due diligence, you should feel confident that your service providers are protecting information against unauthorized access and have the means to notify you promptly if something goes wrong.
If not already, these considerations should be part of your ongoing vendor due diligence process.
The SEC recommends that RIAs review their policies and procedures continuously. In practice, this means reviewing and updating your IRP and breach notification policy at least once a year. You should also review policies following a breach (to close any gaps discovered during the incident) or a major change to your organization’s structure or staffing (to make sure roles and responsibilities are still correctly assigned).
For many firms, the biggest consequence of non-compliance comes from LPs, not the SEC. LPs tend to follow SEC guidance during their due diligence investigations. Failure to live up to what LPs expect to see, regardless of whether you're ever audited by the SEC or not, can make it much more difficult to fundraise.
If you are audited by the SEC, receiving an "adverse finding" (being found non-compliant) involves significant fines. Beyond the monetary implications, adverse findings are a huge headache: the admin alone can eat up weeks of time and energy. In the long term, failing an examination makes you more likely to be examined again. Because results are public record, non-compliance can also damage your reputation, both individually and as a firm.
First, see what you have in place already. Maybe you started an IRP, but never finished it. Maybe you have a customer notification process, but it hasn’t been reviewed in two years. Or, the best-case scenario: you already have the policies you need, your heart rate can go back to normal, and you can stop reading this article. (Thanks for reading this far!)
If there are gaps, work to close them:
How Outpost Can Help
If you want a little backup getting Reg S-P-ready, we’re ready to tag in. The Outpost team can create and review policies, carry out risk assessments, and guide remediation planning. We also facilitate tabletop exercises for incident response, business continuity, and disaster recovery planning.
