In 2024, the U.S. Securities and Exchange Commission (SEC) adopted the most significant amendments in years to Regulation S-P (Privacy of Consumer Financial Information). These changes materially expand what Registered Investment Advisers (RIAs) and financial advisors must do to protect client data.
The message is clear: incident response and data protection are no longer general best practices. They are explicit regulatory requirements.
The 3 Core Requirements RIAs Must Meet
Under the amended Regulation S-P, RIAs must:
- Maintain a written incident response program.
- Be able to demonstrate and produce that program during an SEC examination.
- Implement policies to ensure service providers promptly notify the firm if customer information is compromised.
This represents a shift from policy-based privacy language to operational cybersecurity accountability.
What Changed in the 2024 Amendments
1. Broader Definition of “Customer Information”
The rule now applies to nonpublic personal information about any customer — including information received from other financial institutions — not just your direct advisory clients.
2. Required Written Incident Response Program
RIAs must adopt and implement written policies and procedures reasonably designed to:
- Detect unauthorized access to customer information
- Respond to security incidents
- Recover from data events
- Prevent further unauthorized access
This must be formal, documented, and operational.
3. Mandatory 30-Day Client Notification
If sensitive customer information is accessed or reasonably likely to have been accessed without authorization, RIAs must notify affected individuals as soon as practicable, but no later than 30 days after becoming aware of the incident, subject to limited exceptions.
4. Service Provider Oversight
RIAs must adopt written policies and procedures reasonably designed to ensure that service providers with access to customer information:
- Maintain appropriate safeguards
- Notify the RIA as soon as possible after becoming aware of a breach
Many firms operationalize this requirement contractually using defined reporting timelines (often 72 hours), although the rule itself requires prompt notification rather than a specific hourly threshold.
5. Expanded Recordkeeping
Firms must maintain documentation demonstrating compliance with safeguards, incident response procedures, breach notifications, service provider oversight, and disposal policies.
Compliance Deadlines
Although the amendments are effective, compliance is phased based on firm size:
- Larger RIAs (≥ $1.5 billion AUM): December 3, 2025
- Smaller RIAs (< $1.5 billion AUM): June 3, 2026
If your firm is under $1.5 billion in AUM, full compliance must be achieved by June 3, 2026.
What SEC Examiners Will Expect to See
During an examination, your RIA should be prepared to produce:
- A written incident response program
- Documentation of vendor oversight procedures
- Evidence of breach notification decision processes
- Testing and revision history records
- Proof that safeguards are reasonably designed and operational
This is no longer about having a generic cybersecurity policy. It is about demonstrating structured, documented IT compliance.
Bottom Line for RIAs
The 2024 amendments to Regulation S-P represent the most significant changes in decades.
They require:
- A written incident response program
- Demonstrable compliance documentation
- Prompt vendor breach notification procedures
- 30-day client notification timelines
Deadlines:
- December 3, 2025 – Larger RIAs
- June 3, 2026 – Smaller RIAs
If your incident response documentation has not been formally updated, now is the time to act.
How RIA WorkSpace Supports Regulation S-P Compliance
RIA WorkSpace specializes in managed IT services and security support for RIAs.
We help firms implement:
- SEC-aligned incident response programs
- Vendor oversight documentation frameworks
- Microsoft-based security controls aligned to written policies
- Ongoing testing and review processes
If you would like to review your firm’s readiness ahead of the 2026 compliance deadline, schedule a discussion with our team.