On September 25, 2025, the SEC held the first of three compliance outreach events regarding Amended Regulation S-P. The first webinar was aimed at larger firms that must comply with these new requirements by December 3, 2025.
During the webinar, SEC staff and examiners focused on the new rule’s requirements and discussed how they might approach new requirements in examinations.
Below are our key takeaways for advisers:
- It’s happening. Although the compliance deadlines for several new rules have been postponed under the Trump administration, Amended Regulation S-P does not appear to be one of them. Advisers — particularly larger advisers (those with $1.5B or more in AUM) need to prepare now.
- The scope of “customer information” is broad. Exam staff explained that the expanded scope of “customer information” includes not only nonpublic information about the covered institution’s own customers, but also nonpublic information about customers of other financial institutions that have been provided to the covered institution.
- Private fund advisers are subject to Amended Regulation S-P. The adopting release makes it clear that while private funds themselves are not covered institutions, advisers to private funds are. Private fund advisers, like all advisers, must safeguard all customer information they receive. Customer information is any non-public, personal information of a consumer who has a customer relationship with a covered institution. This even includes information from customers that are not yours. If your firm receives an investor’s non-public information, even if that investor is a customer of another covered institution, then your firm is still subject to the rule for that investor’s information.
- There is no flexibility around the 30-day deadline for notifying customers of a breach. While there is a provision allowing for delayed notice if the United States Attorney General determines that the notice poses a national security risk, most incidents will result in notice being sent within the 30-day period. One SEC staff member recommended thinking of the 30-day notice requirement as a rebuttable presumption: if all customers could be impacted by the incident, presume notice must be sent to all of them. Only remove customers from the notification list if you can rebut that presumption with demonstrable findings from your internal investigation that information for those specific customers was not impacted.
- Covered entities should expect exams to focus on requirements of Amended Regulation S-P shortly after the compliance date. Exam staff noted that examinations into Amended Regulation S-P will build on existing cybersecurity frameworks that should already meet certain industry best practices, such as aligning incident response programs to the NIST framework. While they did not provide a specific timeline, exam staff made it clear that this is a priority and included some examples of what they will likely request in exams.
- For exams, it all comes back to client data. SEC exam staff will want to make sure advisers have a clear understanding of where all client data resides, how it’s safeguarded, and what controls are in place to respond and protect data in the event of a cyber incident. Advisers would be wise to ensure that:
- Your incident response program aligns with NIST’s cybersecurity framework, which covers identification, protection, detection, response, and recovery.
- You can demonstrate data mapping to show that covered entities know where customer information resides, how it moves, and how it’s protected.
- Review your network in the context of a potential incident. For instance: if your network experiences an incident, do you have a backup network? Will there be a disruption to business operations? Have these networks been tested? Where is all of this information documented?
- You have recently conducted and documented a risk assessment. The risk assessment should demonstrate that covered entities have a process in place to identify, assess, and mitigate cyber risks.
What does this mean for me?
Time is ticking, particularly for larger advisers who must comply by December 3, 2025. Advisers need to ensure they have updated policies and procedures in place for each of these new requirements. Advisers must be able to show that they have thoroughly tested these policies and procedures and provide evidence that the updates have been fully integrated into current business practices.
Our Cyber team offers full support for every aspect of Amended Regulation S-P. There is just enough time left for firms to be prepared by the compliance deadlines.
