Protecting Investor Data Under the Updated Regulation S-P

What changed, what it means, and what we’re doing together

Why this matters now

The SEC’s amendments to Regulation S-P expand what firms must do to detect, respond to, and recover from any unauthorized access to customer information—and to notify affected individuals promptly.

What’s new at a glance

  • Incident Response Program (IRP). Covered institutions must maintain policies and procedures to detect, respond, and recover from incidents that involve customer information held directly or by service providers.
  • Customer Notification. If sensitive customer information was—or is reasonably likely to have been—accessed or used without authorization, firms must notify each affected individual. “Sensitive” includes items like SSNs, driver’s licenses, biometrics, and certain account identifiers when combined with security data.
  • Timing. Notices must be sent as soon as practicable and no later than 30 days after the firm becomes aware of an incident, with limited exceptions.
  • Rebuttable presumption. Notice is presumed required unless a reasonable investigation shows the data has not been and is not reasonably likely to be used in a way that would cause substantial harm or inconvenience—determined within the 30-day window.
  • If scope is unclear. When a firm can’t determine exactly which individuals were affected, it must notify all individuals whose sensitive data resides in the impacted system (unless it reasonably determines a given individual’s data wasn’t accessed).
  • Attorney General delay. DOJ can request a delay (national security/public safety), during which notices may be postponed.
  • Service providers. Providers must notify the covered institution as soon as possible, but no later than 72 hours after becoming aware of a breach of a customer information system they maintain; firms may contract for providers to send customer notices, but ultimate responsibility stays with the firm.

How we’re helping investment advisers comply

1) Build and tune a fit-for-purpose Incident Response Program

We align your IRP to the lifecycle regulators expect: identify (assets/data), protect (controls), detect (monitoring/logging), respond, and recover—drawing on industry frameworks (e.g., NIST) as guides, not prescriptions.

What this looks like in practice

  • Clear playbooks for triage, containment, forensics, notification decisioning, and recovery.
  • Data mapping across CRM, email, endpoints, cloud, and vendor environments, so the firm can quickly determine who is affected and meet the 30-day clock.
  • Monitoring/log aggregation (e.g., SIEM) to support timely detection and investigation.

2) Operationalize the 30-day notification standard

We implement workflows to:

  • Start the 30-day clock when the firm becomes aware an incident has occurred or is reasonably likely to have occurred.
  • Apply the rebuttable presumption standard and document the reasonable investigation that could rebut it; when inconclusive, notify the broader potentially affected population per the rule.
  • Prepare customer notice content (incident details, data involved, protective steps) in advance.

3) Strengthen third-party oversight and breach intake

Advisers can’t outsource responsibility. We help build written policies and procedures requiring oversight of service providers—including due diligence, ongoing monitoring, breach detection expectations, 72-hour provider-to-firm notifications, and (where agreed) provider-issued customer notices.

Key controls we implement

  • Contract clauses for security, breach notification timing, cooperation, and record retention.
  • Evidence-based assurance (independent attestations/certifications) instead of relying solely on vendor representations.

4) Recordkeeping and evidence

We operationalize retention of: IR policies/procedures (including disposal), detection and response artifacts, customer notices (or determinations that notice wasn’t required), any Attorney General delay letters, and records of provider-issued notices on the firm’s behalf.

5) Training and table-top testing

We run targeted trainings so officers and staff understand roles and the new timing standards, and we conduct exercises to validate that procedures work end-to-end.

What investors can expect if something happens

  • Timely notice (≤30 days) with clear details on what occurred, what information was involved, and steps you can take.
  • In rare cases, law-enforcement-requested delay to protect national security or public safety.

Special notes for private fund advisers

Registered investment advisers—including RIAs to private funds—are covered institutions under Reg S-P. Safeguarding obligations can extend to customer information received from other financial institutions even without a direct firm-to-individual customer relationship.

What exam teams are focusing on (and how we prepare you)

SEC examiners tailor scope to your services and data flows across on-prem, cloud, vendors, and partners, looking for evidence that policies match practice. We prepare you for the initial information request, walkthroughs/testing, and documentation of your risk program, controls, and IRP.

Action checklist (we’ll drive this with you)

  1. Finalize IRP and run a table-top that exercises the 30-day clock and notification decision tree.
  2. Complete data mapping across CRM, email, endpoints, cloud, and providers.
  3. Update vendor governance: contracts, 72-hour intake, evidence/attestations.
  4. Pre-draft customer notice templates and internal decision records.
  5. Train staff on roles/responsibilities and escalation paths.