December 3, 2025 Deadline Approaching for Large Registered Investment Advisers to Comply with Amendments to Regulation S-P | Foley Hoag LLP

• “Large” covered institutions (including SEC registered investment advisers with $1.5 billion or more in assets under management) have until December 3, 2025 to comply.
• “Small” covered institutions (including SEC registered investment advisers with less than $1.5 billion in assets under management) have until June 3, 2026 to comply.

Overview

On May 15, 2024, the Securities and Exchange Commission (SEC) adopted major amendments (Reg S-P Amendments) to Regulation S-P, which governs the treatment of customers’¹ nonpublic personal information by certain financial institutions, including SEC-registered investment advisers (Adviser). The Reg S-P Amendments implement new requirements relating to the creation of an incident response program to address any unauthorized access to or use of customer information, oversight of service providers that receive or have access to customer information, notification to clients of data breaches, recordkeeping and other matters.

• “Large” covered institutions (including SEC registered investment advisers with $1.5 billion or more in assets under management) have until December 3, 2025 to comply.
• “Small” covered institutions (including SEC registered investment advisers with less than $1.5 billion in assets under management) have until June 3, 2026 to comply.

While there have been other new and proposed regulations affecting the Adviser industry that have been recently postponed and/or withdrawn, we do not expect that will be the case for the Reg S-P Amendments. The SEC is currently conducting webinars and outreach on the Reg S-P Amendments, and we presume it would not do so if a postponement was contemplated.

Key Changes and Requirements

Mandatory Incident Response Program

The Reg S-P Amendments now require an Adviser to adopt an incident response program which includes written policies and procedures reasonably designed to detect, respond to, and recover from both unauthorized access to and unauthorized use of customer information. The program must include procedures for the Adviser to:

• Assess the nature and scope of any incident and identify the client information systems and types of client information that may have been accessed or used
• Take appropriate steps to contain and control the incident to prevent further unauthorized access or use ²

Service Provider Oversight 

The Reg S-P Amendments also introduce new provisions that address the use by Advisers of service providers that receive client information, including third parties and affiliates. Examples of such service providers would include fund administrators and auditors, and in some cases law firms and compliance consultants (depending on the information shared with such service providers). Advisers must engage in due diligence and ongoing monitoring of such service providers and have written policies and procedures relating to the same. The Adviser’s policies and procedures should be reasonably designed to ensure that such service providers take appropriate measures to:

• Protect against unauthorized access to or use of client information
• Provide notification to the Adviser of any data breach as soon as possible (but no later than 72 hours after becoming aware that a breach has occurred)

Advisers should undertake a mapping exercise to identify those service providers who receive or have access to their client information. Once those service providers are identified, then the Adviser should seek to amend those service provider contracts to require notification within 72 hours of any data breach (technically a formal contract amendment is not required under the Reg S-P Amendments, but would be best practice), and should conduct (and document) due diligence to ensure that the service providers have appropriate data protection policies and procedures in place. Given the looming deadline, many service providers may already have draft templates for amendments to contracts available for review, and evidence of their approach to data protection.

New Requirement for Notification of Data Breaches

Advisers will now be required to notify affected individuals whose sensitive information (which is a defined subset of customer nonpublic personal information) was or is reasonably likely to have been accessed or used without authorization as soon as practicable, but in any event within 30 days of becoming aware of the incident. The notification must include a description of the incident, the type of information breached, the date of the breach, contact information where customers can inquire about the breach, recommended actions affected customers can take (the  Reg S-P Amendments mandate that certain recommended actions be included in the notice), and information about the availability of online guidance from the Federal Trade Commission. Notification to the SEC is not required, however. We recommend that Advisers develop a notification template now so they can quickly notify customers if a breach occurs.

Notice is not required if, after a reasonable investigation of the facts and circumstances of the incident, an Adviser determines that sensitive customer information has not been, or is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience to customers (“substantial harm or inconvenience” was not defined by the SEC, and would depend on the particular facts and circumstances surrounding an incident).

Other Amendments

• The Reg S-P Amendments broaden the definition of “customer information” under Regulation S-P’s “safeguards rule” and “disposal rule” to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form.”
• Advisers will be required to maintain written records documenting compliance with the “safeguards” and “disposal” rules as amended by the Reg S-P Amendments (i.e., maintaining written records of policies and procedures, as well as notifications sent to affected individuals). All records must be kept for five (5) years, the first two (2) in an easily accessible place.
• Advisers are now exempt from providing annual privacy notices if they have not changed their privacy policies and only share non-public personal information with non-affiliated third parties when an exception to the third-party opt-out applies. In this respect, the Reg S-P Amendments are intended to align with existing privacy notice delivery requirements of other governmental agencies.

Advisers should be sure to evaluate their recordkeeping practices, and consider the applicability of the new annual privacy notice exception (which we expect will apply to many Advisers).

For more information, please visit Foley Hoag’s 2024 client alert on the amendments to Regulation S-P. The full text of the amended Regulation S-P can be found here.

¹A customer relationship means a continuing relationship between a consumer and an Adviser under which the Adviser provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. A consumer means an individual (i.e., natural person) who obtains or has obtained a financial product or service from the Adviser that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.

²Strategies for containing and controlling an incident will vary depending upon the type of incident and may include, for example, isolating compromised systems or enhancing the monitoring of intruder activities, searching for additional compromised systems, changing system administrator passwords, rotating private keys, and changing or disabling default user accounts and passwords, among other interventions.