Regulation S-P Amendments Compliance Date Approaching: Prompt Action Required

On May 16, 2024, the SEC adopted amendments to Regulation S-P (the “Amendments”) and significantly overhauled customer data protection by enhancing protections for sensitive data of customers of certain financial institutions, including registered investment advisers. Registered investment advisers with $1.5 billion or more in assets under management (“Larger RIAs”) are required to comply with the Amendments by December 3, 2025, and all other registered investment advisers (“Smaller RIAs,” collectively with Larger RIAs, “RIAs”) must comply with the Amendments by June 3, 2026.

BACKGROUND

Regulation S-P was first adopted in 2000 to carry out the privacy requirements of the Gramm-Leach-Bliley Act (“GLBA”). At the time, the rule required financial institutions to adopt written policies and procedures dealing with the safeguard and disposal of “customer information,” and to deliver annual privacy notices. The original rule stopped short of prescribing a detailed incident-response program and, notably, applied inconsistent definitions of covered information across the “safeguards” and “disposal” rules.

The Amendments close those gaps and bring the rule in line with today’s operational environment for RIAs, which is marked by heightened cybersecurity risks, widespread outsourcing and broader sharing of investor and portfolio-company data. RIAs are now expected to maintain clear documentation of vendor oversight and recordkeeping so that examiners can assess how a firm detects incidents, escalates internally, decides upon customer-notices and adjusts its controls.

WHAT CHANGED

• Broader Definition of Protected Data. “Customer information” now covers customer information in an RIA’s possession or that is handled or maintained on the RIA’s behalf, regardless of whether such information pertains to (a) individuals with whom the RIA has a customer relationship or (b) to the customers of other financial institutions where such information has been provided to the RIA.

• • This means RIAs must now inventory not just their direct investor/customer data, but also any data they receive from other firms, such as investor information from placement agents or third-party feeder funds.

• Mandatory Incident-Response Program. RIAs must now maintain policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access or use of customer information.

• • For most Smaller RIAs, this may mean formalizing what may currently exist as ad-hoc procedures into a documented, partner- or senior management-approved plan that can be produced immediately during an SEC examination.

• 30-Day Customer Notification Clock. RIAs must provide clear and conspicuous written notice to each “affected individual” (with nuances set forth in the Amendments) as soon as practicable, but not later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.

• • Notice is required if the incident involved sensitive customer information, unless, after a reasonable investigation, the RIA determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

• • The 30‑day period runs from the RIA’s awareness of unauthorized access to or use of customer information, not from completion of the investigation. RIAs therefore need clear internal escalation procedures to engage decision‑makers immediately.

• Service-Provider Oversight. RIAs are now required to establish, maintain, and enforce written policies and procedures reasonably designed to require oversight, including due diligence and monitoring, of service providers (including affiliates) to ensure appropriate measures to protect against unauthorized access to or use of customer information. Such policies and procedures must also be reasonably designed to ensure service providers take appropriate measures to provide notification to the RIA as soon as possible, but no later than 72 hours after the service provider becomes aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.

• • A service provider may send individual notices on the RIA’s behalf under the incident‑response program, but the RIA remains ultimately responsible for ensuring compliant notice.

• • This burdensome requirement will arguably be the heaviest lift for RIAs, especially Smaller RIAs, who often rely heavily on outsourced providers (e.g., fund administrators, outsourced compliance and IT consultants, outsourced operations functions). RIAs can expect such service providers to resist agreeing to a 72-hour contractual time commitment to provide notice of a breach.

• Recordkeeping. RIAs must keep, for five years (and in an easily accessible place, for the first two years), copies of policies and procedures; documentation of each detected unauthorized access to or use of customer information and related response and recovery; the basis for any “no‑notice” determination; copies of any notices provided; any written documentation from the U.S. Attorney General related to delayed notice; and service‑provider oversight materials. Note that registered funds and certain other affiliates are subject to different retention periods under their respective rules.

• • The requirement to document the basis for a “no-notice” determination is a critical compliance point. Examiners will likely scrutinize these records closely. Building a standard incident‑file index that captures escalation timelines, forensic findings, counsel analyses and determinations will facilitate examinations.

• Annual Privacy Notice Relief. RIAs that share nonpublic personal information only under existing GLBA exceptions and have not changed their practices since the last notice may rely on a new codified exception from annual privacy-notice delivery. This is a welcome change that can reduce administrative burden, but firms must first confirm and document their eligibility for the exception.

RECOMMENDED NEXT STEPS AND ACTION ITEMS

To prepare, RIAs should immediately conduct a comprehensive gap analysis, benchmarking current cybersecurity policies, incident-response playbooks, and privacy notices against the new requirements, and mapping data flows to identify all “customer information,” including data received from other financial institutions.

• Revisit your written policies and procedures to ensure compliance and integrate a documented incident-response procedure with clear escalation protocols, management reporting lines, and individual‑notice templates.

• • Notice templates should meet the rule’s requirements for clear and conspicuous written notice provided by a means reasonably designed to ensure actual receipt and include the rule’s mandatory elements, including a description of the incident and date or date range, the categories of data involved, steps individuals can take to protect themselves and contact information for the RIA or designated support – among other required elements.

• Inventory all service providers who touch “customer information” and review their existing contracts for obligations that operationalize policy requirements, including escalation “as soon as possible, but no later than 72 hours after” the service provider becomes aware of a qualifying breach resulting in unauthorized access to a customer information system.

• • Although not strictly required by the Amendments, RIAs may seek to negotiate addenda that require safeguards consistent with the RIA’s program, prompt breach notification (within 72 hours), cooperation in investigations, and clear allocation of customer-notice responsibilities and costs.

• • Where a service provider does not respond to outreach and/or declines to negotiate its contracts, the RIA should document the non-response, maintain a contemporaneous record of negotiations and implement layered mitigations while continuing to pursue enforceable commitments. For example, an RIA could consider implementing a follow-up schedule (for example, sending an annual negative-consent acknowledgement requesting confirmation of continued compliance and disclosure of any material changes). Retain records of such ongoing outreach and any responses in the event of an examination.

• • If a timing shortfall occurs, a robust record that an RIA attempted to avoid such a shortfall by actively negotiating with a vendor while also periodically reminding such vendor of the RIA’s obligations under the Amendments may improve its exam posture.

• • In all cases an RIA must have a record that it followed procedures reasonably designed for the oversight, due diligence and monitoring of service providers in line with requirements of the Amendments, including the 72-hour notification requirement.

• Going forward, testing, validation and training are critical for any incident response program.

• • RIAs would be well-advised to conduct at least one live simulation or tabletop exercise before or promptly after the compliance deadline to validate readiness, escalation paths and the 30‑day timetable.
• • Anyone who might receive a phishing email or a call from a service provider about an issue should receive training to ensure they know how and when to escalate internally.

Please contact a Kleinberg Kaplan attorney if you have any questions regarding these compliance requirements or the Amendments more generally.