By Mia Gutierrez and Jessica Morgan
In May 2024, the Securities and Exchange Commission (SEC) adopted significant amendments to Regulation S-P (the “Amendments”). These Amendments expand requirements related to safeguarding customer information, incident response, breach notification, service-provider oversight, data-disposal protocols, and recordkeeping. Importantly for our clients, SEC registered investment advisers with at least $1.5 billion in assets under management and all broker-dealers are required to comply as of December 3, 2025.
“Smaller” advisers (those with assets under management below US$ 1.5 billion) will have a compliance deadline of June 3, 2026.
Key Requirements Under the Amendments
Under the revised Regulation S-P, covered advisers must implement the following compliance procedures:
| Area | What’s Required |
| Safeguards for Customer Information | Covered advisers must adopt reasonable administrative, technical, and physical safeguards to protect “Customer Information.” Customer Information now includes any record containing nonpublic personal information about a customer of a financial institution, whether collected directly or received from another institution, and regardless of whether the information is in paper or electronic form. |
| Incident Response Program | Covered advisers must maintain a written program reasonably designed to detect, respond to, and recover from unauthorized access or use of Customer Information; including procedures to assess and contain incidents. |
| Service-Provider Oversight | Advisers must identify all third-party service providers that receive, maintain, or process Customer Information and must establish oversight procedures. Many firms are requesting written acknowledgements from their vendors to confirm compliance with these requirements. |
| Breach Notification/Customer Notification | If an incident occurs, or is reasonably likely to have occurred, involving unauthorized access or use of “sensitive customer information,” covered advisers must send notice to each affected individual as soon as practicable but no later than 30 days after becoming aware of the incident. The notice must include a description of the incident, the types of information involved, contact information, and recommended steps for the individual. |
| Service-Provider Notification Requirement | Service providers must notify the adviser of unauthorized access or data breaches within 72 hours of becoming aware of such a breach. While the Amendments do not require formal contract amendments, many advisers are reaching out to their service providers to confirm they will comply. |
| Data Disposal/Disposal Rule | Covered advisers must properly dispose of “Consumer Information” (a subset of Customer Information) when no longer needed by using reasonable methods such as secure destruction or permanent deletion. |
| Recordkeeping | Covered advisers must maintain written records of policies and procedures, incident reports, notifications to affected individuals, service-provider oversight documentation and disposal practices. Records must be kept for a period consistent with regulatory expectations. |
| Annual Privacy Notice | Covered advisers must provide annual privacy notices to Customers unless certain exemptions apply. |
Recommended Actions
We recommend that large investment advisers and broker-dealers take the following steps as soon as reasonably possible to ensure compliance with the Amendments:
- Review existing privacy, data security, and vendor oversight policies, and annual privacy notice.
- Identify all service providers with access to Customer Information.
- Update or draft written policies covering safeguards, incident response, service provider oversight, disposal, and recordkeeping.
- Develop incident response plans and individual notification templates.
- Request written confirmation from service providers regarding their ability to provide 72- hour breach notification.
- Train relevant staff on updated requirements and procedures.
- Maintain detailed documentation of all compliance efforts.
Risks of Non-Compliance
Non-compliance may result in regulatory examinations, enforcement actions, liability risk, and reputational harm. Because the Amendments significantly expand oversight expectations, the SEC is expected to focus on these requirements in future examinations.
Conclusion and Next Steps
The December 3, 2025 compliance deadline is firm for large advisers. Given the breadth and depth of the new requirements, which include policies and procedures, vendor oversight, incident response, notification obligations, and recordkeeping, it is critical that ALL covered advisers begin their compliance efforts immediately and allocate sufficient time and resources to put the changes into practice well in advance of the deadline. Please reach out if you need assistance with implementing any of the recommended actions for compliance.
This client alert is prepared for the general information of our clients and friends. It should not be regarded as legal advice. For additional information, guidance, or clarity regarding these amendments or our recommended next steps, please contact the authors of this alert, any member of our Financial Services & Investment Management Practice Group, or the attorney with whom you normally consult.
Filed under Financial Services, Information Privacy & Security, Legislation & New Laws, Securities