Regulatory Preparedness 2025: Amended Reg S-P

September 15, 2025

Despite efforts to postpone Amended Regulation S-P, industry experts believe that the SEC is unlikely to postpone Amended Regulation S-P. Given the impending deadline (Dec. 3, 2025, for larger entities and June 3, 2026, for smaller entities), advisers should work diligently to meet the quickly approaching compliance date.

Review the details on compliance deadlines and key requirements, to ensure you are prepared to comply.

Reg S-P

The amendments to Reg S-P treat Registered Investment Advisers (“RIAs”) as “covered institutions” under the rule.  As covered institutions, RIAs need to develop the following to comply by December 3^rd, 2025 (for larger entities with $1.5 billion or more in assets under management), or June 3^rd, 2026 (for smaller entities managing less than $1.5 billion):

• Vendor Management Program:
  • Expansive policies and procedures to complete vendor due diligence and ongoing monitoring beyond current due diligence expectations.
  • A new 72-hour notice requirement – Service providers must notify RIAs within 72 hours of becoming aware of a breach resulting in unauthorized access to a customer information system maintained by the vendor.
  • RIAs may need new agreements or assurances from service providers that notification will be given within the required 72-hour time frame.
  • RIAs must implement an incident response plan upon receipt of a notification of such a breach.

Existing vendor due diligence policies and procedures will lack the new 72-hour notification requirement and updated definition of a service provider. Older service provider agreements will lack the notification requirement too, which may mean addendums or revisions to existing agreements ahead of the compliance deadline.

• Incident Response Program:
  • RIAs must maintain an incident response program.
  • The program must be designed to detect, respond, and recover from unauthorized access or use of client information and to prevent unauthorized use.

Even if you have an incident response plan in place, you will still need to update your program to comply with the amendments to Reg S-P, especially as they relate to the 72-hour service provider notification time frame and the 30-day customer notification requirement.

• Customer Notification Requirement:
  • RIAs are required to notify those whose sensitive information was, or is reasonably likely to have been, accessed or used.
  • RIAs must provide this required notice to customers within 30 days.

Policies and procedures are needed for this new requirement. Even if an RIA determines that a given breach did not reveal sensitive information, the procedure for making that determination must be in place, and a record of the determination that notification was not needed must be maintained.

• Expansion of Safeguards and Disposal Rules (including written records):
  • The amendments expand the safeguards and disposal rules to cover nonpublic personal information that an RIA obtains about its own clients and nonpublic personal information received from other financial institutions about clients of that institution.
  • Written documentation is needed for any detected unauthorized access, any response to, and recovery from such access.
  • Any investigation and determination made regarding whether notification is required, including the basis for such determination, as well as any notice transmitted, must also be documented.

These records are needed in addition to any written contracts or agreements entered into pursuant to the rule. For RIAs, these records must be maintained for five years, the first two years in an easily accessible place.

Start Now

Time is ticking, particularly for larger advisers who must comply by Dec. 3, 2025. Our Cyber team offers full support for every aspect of Amended Regulation S-P. There is just enough time left for firms to be prepared by the compliance deadlines.