SEC Regulation S-P Amendments: Four Critical Changes Investment Advisers Must Implement

On May 16, 2024, the U.S. Securities and Exchange Commission (SEC) adopted major amendments to Regulation S-P which governs the treatment of customers’ non-public personal information by certain financial institutions, including SEC-registered investment advisers (Advisers). The amendments introduce new requirements for creating an incident response program to address unauthorized access to or use of customer information, overseeing service providers with access to customer information, notifying clients of data breaches, and maintaining recordkeeping.

The effective date was August 2, 2024, with staggered compliance deadlines for “larger” vs. “smaller” covered institutions.

• “Large” covered institutions, including SEC-registered investment advisers with $1.5 billion or more in assets under management, have until December 3, 2025, to comply.
• “Small” covered institutions, including SEC-registered investment advisers with less than $1.5 billion in assets under management, have until June 3, 2026, to comply.

Key Changes

The SEC’s amendments to Regulation S-P mark a significant shift in how Advisers must approach data privacy and cybersecurity risk. These updates are designed to strengthen investor protection and ensure firms are better equipped to manage the growing threat of data breaches.

Below is a summary of the key changes Advisers should be aware of:

• Incident Response Program (IRP): Advisers are now required to adopt and maintain written policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access or use of customer information. The IRP must include procedures to:
  • Assess the nature and scope of the incident, including which systems/data may have been involved
  • Contain the incident to prevent further unauthorized access
  • Reassess notification decisions if new facts emerge
  • Coordinate with service provider oversight (explained below)
• Service Provider Oversight: The IRP must contain provisions that address the use of service providers that receive client information, including third parties like fund administrators, auditors, and compliance consultants. Advisers’ written policies and procedures should include factors like performing ongoing due diligence and monitoring of the service providers. The policies should be reasonably designed to ensure that service providers take appropriate measures to protect against unauthorized access and notify the Adviser of an incident no later than 72 hours after becoming aware of the breach of their systems.It is strongly recommended that Advisers identify service providers with access to their client information and amend their contracts to require notification within 72 hours of any data breach.

• Breach Notification: Advisers must provide notice to each affected individual whose sensitive customer information was (or is reasonably likely to have been) accessed or used without authorization within 30 days of becoming aware of the incident. The notification must include a description of the incident, the type of information breached, the date of the breach, contact information where customers can inquire about the breach, recommended actions customers can take, and information about the availability of online guidance.
• Recordkeeping: Advisers must make and maintain written documentation to demonstrate compliance with the amended Reg S-P requirements. Required records include:
  • Copies of the policies and procedures adopted under the amendments
  • Documentation of detected unauthorized access or use
  • Documentation of investigations into whether notice is required, including any decisions to forego notice
  • Copies of any notices provided to customers
  • Documentation of any service provider contracts or agreements undertaken under these rules

How Petra Can Help

The new Regulation S-P requirements demand a coordinated approach across compliance, technology, operations, and vendor management. Petra Funds Group’s Regulatory Compliance team has decades of experience guiding private fund Advisers through complex SEC regulations.

Our team can assist with:

• Assess existing cybersecurity and data privacy frameworks for alignment with the new standards
• Update and document incident response programs
• Review and amend service provider contracts to meet 72-hour notification requirements
• Implement practical recordkeeping solutions to demonstrate compliance

With deep industry knowledge and a hands-on approach, Petra helps Advisers not only meet regulatory requirements but also build stronger, more resilient compliance infrastructures.