Reminder: Plan for Amended Regulation S-P in 2025 Budget Planning

October 18, 2024

As we near budget planning season for many firms, large entities in particular (including RIAs with $1.5 billion or more in AUM) should be sure to account for costs that may be associated with complying with Amended Regulation S-P. Compliance with the amendments is required by December 3, 2025, for larger entities and by June 3, 2026, for smaller entities. Although smaller entities have a bit more time to comply, they still may want to consider preparing in 2025, as some of these amendments will take time to implement.

As a reminder, amended Regulation S-P requires covered institutions to have each of the following in place:

1. Vendor Management Program: The amendments formally establish requirements for covered institutions to adopt policies and procedures regarding due diligence and monitoring of service providers. Note: Service providers have a 72-hour notice requirement to covered institutions.
2. Incident Response Program: Under the adopted amendments, covered institutions will be required to maintain an incident response program. The program must be designed to detect, respond, and recover from unauthorized access or use of client information and prevent unauthorized use. Note: Even if you have an incident response plan in place, you will still need to update your program to comply with the adopted amendments.
3. Customer Notification Requirement: Covered institutions will be required to notify those whose sensitive information was, or is reasonably likely to have been, accessed or used. Note: Covered institutions have a 30-day notice requirement to customers.
4. Expansion of Safeguards and Disposal Rules (including written records): The amendments expand the safeguards and disposal rules to cover nonpublic personal information that a covered institution obtains about its own clients and nonpublic personal information received from another financial institution about clients of that institution. Covered institutions (except funding portals) must also maintain written records evidencing compliance with the safeguards and disposal rules.

The finalized amendments (Amended Regulation S-P) outline which entities will be considered “larger entities”, included in the table below. Smaller entities will be the covered institutions that do not meet these standards.

Entity	Qualification to be Considered a “Large Entity”
Investment companies together with other investment companies in the same group of related investment companies1	Net assets of $1 billion or more as of the end of the most recent fiscal year
Registered investment advisers²	$1.5 billion or more in assets under management
Broker-dealers³	All broker-dealers that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act
Transfer agents⁴	All transfer agents that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act

For more details on Amended Regulation S-P, you may want to read our previous flash reports, SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information and Amendments to Regulation S-P Published to Federal Register.

If you have any questions, or need guidance on where to start, we can help. Contact us to speak with a regulatory expert.