On May 16, 2024, the SEC adopted significant amendments to Regulation S-P[1] that changed sensitive customer data protection requirements for certain financial institutions, including all registered investment advisers (RIAs)[2]. These new requirements strengthen how RIAs manage, respond to, and report incidents involving sensitive customer information.
Who Is Affected?
- Larger RIAs ($1.5 billion+ AUM): Must comply by Dec. 3, 2025
- Smaller RIAs (below $1.5 billion AUM): Must comply by June 3, 2026
Key Changes/Considerations
Broader Definition of Protected Data
“Customer information” now includes all client data in the RIA’s possession or handled by third parties on the RIA’s behalf—even if the data originated with another firm. RIAs must track not just direct investor data but also information received from third-party sources, such as placement agents or feeder funds, or fund administrators.
Mandatory Incident-Response Program
RIAs must implement written policies reasonably designed to detect, respond to, and recover from unauthorized access or use of customer information. The incident response program must include procedures to assess the nature and scope of any such incident and to take appropriate steps to contain and control such incidents to prevent further unauthorized access or use.
30-Day Customer Notification Rule
RIAs are required to notify affected individuals in writing as soon as practicable, but no later than 30 days after discovering unauthorized access or use of sensitive customer information, unless they reasonably determine that no substantial harm or inconvenience will result. The notification clock starts upon discovery, not at the end of the investigation.
Service Provider Oversight
In the spirit that “one can delegate authority but not responsibility”, RIAs must establish policies for the oversight of vendors (including affiliates), including due diligence and monitoring. Service providers must agree to notify the RIA in writing as soon as practicable, but no later than 72 hours after discovering a breach involving customer information. Although the last item may involve difficult negotiations with service providers, RIAs remain responsible for ensuring these notifications are made and for informing clients as required.
Enhanced Recordkeeping
RIAs must maintain detailed records of policies, incident responses, notification decisions, service provider oversight, and related correspondence for five years (and easily accessible for the first two).
Annual Privacy Notice Relief
RIAs that share nonpublic personal information only under existing exceptions and have not changed practices may rely on a new exception from annual privacy notices, after confirming eligibility.
Action Steps
For smaller RIAs with a June 3, 2026, compliance date, the following action steps can help you implement (or finalize) your updated Regulation S-P program.
- Update and formalize written procedures, escalation paths, and client notification templates. In connection therewith, conduct a gap analysis of current cybersecurity and incident response policies to identify any required changes, updates, or new policies.
- Identify and analyze contracts with all service providers provided with customer information to ensure compliance with the new rules, and include protective/notification clauses in service provider contracts. Document the results of such discussions and/or negotiations with the vendor.
- Enhance documentation of all outreach and responses, and keep records for compliance examinations.
- Train staff on incident response protocols and escalation procedures.
- Consider potential responses, i.e., plan and conduct a live simulation or tabletop exercises before your compliance deadline to ensure readiness.
For further guidance on these changes or support with compliance, please contact your CBIZ advisor.
1 Regulation S-P was first adopted in 2000 to carry out the privacy requirements of the Gramm-Leach-Bliley Act.
2 The rule amendments also apply to broker-dealers, investment companies, funding portals, and transfer agents registered with the SEC or another appropriate regulatory agency.
© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.
“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.
