SEC Adopts Final Reg S-P Amendments for Enhanced Customer Data Protection

The SEC has adopted major amendments to Regulation S-P, marking the first substantial update to its privacy rule since 2000. The final rule, published in the Federal Register on June 3, 2024, requires covered institutions to implement a written incident response program and notify affected individuals of data breaches within 30 days of determining that unauthorized access is reasonably likely to have occurred. These changes reflect the SEC’s growing focus on cybersecurity accountability and consumer protection.

Effective Dates and Compliance Timelines

Registered Investment Advisers (RIAs), along with broker-dealers, investment companies, and transfer agents, are considered “covered institutions” under the amended rule. For RIAs specifically, the SEC has introduced a new compliance mandate: firms with $1.5 billion or more in assets under management as of the most recent fiscal year-end will be categorized as large entities and must comply with the new requirements by December 3, 2025 (18 months from publication date). RIAs below this threshold will be considered small entities and will have until June 3, 2026 to comply (24 months).

What Should Firms Do Now?

Firms are encouraged to begin reviewing and updating their cybersecurity and privacy programs immediately, especially if they have not yet implemented a comprehensive vendor management framework. Recommended first steps include:

• Review incident response protocols to ensure they align with new regulatory expectations.
• Assess current vendor oversight for potential risks related to third-party data access.
• Develop notification templates and breach playbooks to streamline communication in the event of an incident.
• Train personnel on new breach reporting obligations and data handling procedures.

Bates Group’s Compliance team offers deep expertise in designing tailored compliance frameworks for RIAs. Whether your firm is navigating the 18- or 24-month compliance timeline, we can help you evaluate current protocols and align your practices with regulatory expectations.

To discuss your firm’s strategy or to schedule a readiness consultation, please contact us today.