Amended Regulation S-P Checklist: 4 Key Requirements and What to Prioritize Now

PDF Download

On May 16, 2024, the SEC expanded the requirements of Regulation S-P to require covered financial institutions to take additional steps to detect, respond, and recover from unauthorized access, or use, of client information. Larger entities, such as Registered Investment Advisers (RIAs) with $1.5 billion or more in assets under management, will have until December 3, 2025, to comply. The compliance deadline for smaller entities is June 3, 2026 (for information on which entities will be considered “larger entities,” click here).

To meet the compliance deadline, advisers should review this list and make sure you have a plan to tackle each of these requirements.

Checklist for Regulation S-P Success: 4 Key Components

  1. Create or Enhance Your Vendor Management Program: We recommend starting here. The amendments formally establish requirements for covered institutions to adopt policies and procedures regarding due diligence and monitoring of service providers. Under Amended Regulation S-P, policies must be reasonably designed to ensure service providers take appropriate measures to
    1. Protect against unauthorized access or use of customer information; and
    2. Provide notification to covered institution clients within 72 hours of becoming aware of a breach resulting in unauthorized access to a customer information system maintained by the service provider. Upon receipt of notification, a covered institution must initiate its incident response program.

Already have a program in place? Chances are you’ll need to expand it, given Amended Regulation S-P’s definition of a service provider, which is very broad and refers to “any entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.”  It can also include affiliates of a covered institution, so for many advisers, this program will need to be significantly more robust than it has been previously.

Additionally, the 72-hour notice requirement may be challenging, especially for smaller entities. You should begin your review process sooner rather than later and work with service providers to confirm they will provide notice within 72 hours. One way to document this confirmation is through the service provider’s agreement.

  1. Incident Response Program: Next, make sure you update your policies and procedures to include specifics on your Incident Response Program. Under the adopted amendments, covered institutions will be required to maintain an incident response program. The program must be designed to detect, prevent, respond, and recover from unauthorized access. Note: Even if you have an incident response plan in place, you will still need to update your program to comply with the adopted amendments.
  2. Customer Notification Requirement: Next, covered institutions will be required to notify those whose sensitive information was, or was reasonably likely to have been, accessed or used, within 30 days of an incident. For many firms, particularly smaller firms, this will be a challenge. Take time to formalize the specific steps you would need to take in the event of a breach, and document those in your policies and procedures.
  3. Recordkeeping and Expansion of Safeguards and Disposal: Make sure you are taking the appropriate steps to maintain written records evidencing compliance with the amended rules. The rules were expanded to include any information maintained by transfer agents. The Books and Records Rule was amended in conjunction with Regulation S-P to add paragraph (25), which includes:
    • Records of written policies and procedures;
    • Written documentation of any detected unauthorized access, any response to, and recovery from such access;
    • Written documentation of any investigation and determination made regarding whether notification is required, including the basis for such determination, as well as any notice transmitted; and
    • Any written contracts or agreements entered into pursuant to the rule. For RIAs, these records must be maintained for five years, the first two in an easily accessible place.

In addition to being requirements under Amended Regulation S-P, all four of these requirements are also best practices for an RIA cybersecurity program. If you need assistance meeting these requirements, let us know. We offer full support for the new requirements under Amended Regulation S-P. Our team of regulatory and cybersecurity experts are available to help.

 

Meet Our Compliance Administration Team

Ellen Harvin

CEO, Compliance Administration and Performance Services

Need Compliance Administration support?

919.706.4100

Contact Us

ComplianceCheck

Learn more about our recordkeeping and document management platform.

Fairview has been providing streamlined solutions to providers in the financial services industry since 2005. We are part of ViewPoint Partners, our employee-owned parent company for both Fairview and FilePoint, which provides regulatory reporting solutions for registered investment companies.

©2025 Fairview® Investment Services, LLC. All rights reserved.

1330 St. Mary’s St.
Suite 400
Raleigh, NC 27605

info@fairviewinvest.com
919.706.4100
FAX: 800.770.9925