September 25, 2025
What Happened?
On September 25, 2025, the SEC held the first of three compliance outreach events regarding Amended Regulation S-P. This first webinar was aimed at larger firms. December 3, 2025, is the compliance deadline of these new requirements for larger entities with $1.5 billion or more in assets under management.
The webinar was divided into two sections: A panel on the history of the regulation and the new rule’s requirements, followed by a second panel on the Division of Examinations approach for entities subject to Amended Regulation S-P.
Although examiners who participated in the webinar did not provide specific guidance on when exams would begin to cover Amended Regulation S-P, it’s clear that its requirements are a priority. Advisers should expect exams to cover Amended Regulation S-P shortly after the compliance date.
At the end of the webinar, panelists answered a handful of questions on the new requirements. Here are a few examples:
Are Private Fund Advisers subject to Reg S-P?
Yes. The adopting release makes it clear that while private funds themselves are not covered institutions, advisers to private funds are. Private fund advisers, like all advisers, will have to safeguard customer information they receive. Customer information is nonpublic personal information of a consumer who has a customer relationship with a covered institution. This includes information from customers that are not yours. If your firm receives an investor’s nonpublic information, even if that investor is a customer of another covered institution, then your firm is still subject to the rule for that information.
Is there flexibility around the 30-day deadline for notifying customers of a breach?
No. While there is a provision on delayed notice if the United States Attorney General determines that the notice poses a national security risk, most incidents will result in notice being sent within the 30-day period. One SEC staff member recommended thinking of the 30-day notice requirement as a rebuttable presumption. If all customers could be impacted by the incident, presume notice needs to be sent to all of them and only remove customers from the list if you can rebut that presumption with findings from your internal investigation.
How will the Division of Examinations conduct initial examinations on Reg S-P?
The panelists pointed to two things: (1) policies and procedures, and (2) validation that those policies and procedures are being followed.
What does this mean for me?
This is happening. The new administration has delayed many compliance deadlines this year, but the Reg S-P deadline is staying put.
Time is ticking, particularly for larger advisers who must comply by Dec. 3, 2025. The new requirements will take time to implement, so if you have not already started preparing, do so now. Our Cyber team offers full support for every aspect of Amended Regulation S-P. If you have questions or need help complying, let us know.
