The U.S. Securities and Exchange Commission's (SEC's) May 2024 amendments to Regulation S-P established concrete, near-term compliance deadlines for registered investment advisers (RIAs) to adopt, implement, and maintain written policies and procedures establishing an incident response program in relation to unauthorized access to or use of customer information. These changes modernize safeguarding obligations and create a federal baseline for incident response and breach notification. With the first deadline on December 3, 2025, large RIAs should now be in the final stages of ensuring compliance.
The Immediate Priority: Incident Response Program
Per the amendments, RIAs must adopt, implement, and maintain written policies and procedures that establish an incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. At a minimum, the program must:
(1) assess the nature and scope of any incident and affected systems/data;
(2) take steps to contain and control the incident; and
(3) provide customer notification where "sensitive customer information" was, or is reasonably likely to have been, accessed or used without authorization.
Notice must be provided as soon as practicable and no later than 30 days after awareness, subject to limited delay for public safety or national security.
Oversight and Expanded Scope
The amendments require policies and procedures reasonably designed to oversee service providers, including due diligence and monitoring to ensure they protect customer information and notify the adviser as soon as possible, but no later than 72 hours, after becoming aware of a security breach involving a customer information system they maintain. The rule also harmonizes and broadens the scope of the Safeguards and Disposal Rules by applying protections to "customer information" relating both to an adviser's own customers and to customers of other financial institutions whose information the adviser receives or maintains.
Recordkeeping and Annual Privacy Notice Alignment
RIAs must maintain written records evidencing compliance with the amended Safeguards and Disposal Rules, generally for five years (the first two in an easily accessible place). The amendments also codify the statutory exception to the annual privacy notice requirement if specific conditions are met.
Compliance Deadlines for RIAs
The nearest deadline is fast approaching. RIAs with $1.5 billion or more in assets under management must comply by December 3, 2025. RIAs with less than $1.5 billion in assets under management must comply by June 3, 2026.
What To Do Now—Ahead of December 3
Advisers should finalize governance, technical, and contractual controls with the incident response program at the center. Priority actions include integrate assessment/containment/notification workflows into written policies; map systems holding "customer information" (including data from third parties); update vendor due diligence, breach reporting, and 72‑hour notification expectations; and test incident playbooks to meet the SEC's 30‑day notice standard alongside state laws.
Bottom line: the amendments turn prior best practices into enforceable obligations. With December 3, 2025 compliance date imminent for large RIAs, timely execution is essential.
If you have questions or would like more information, please contact Justin Senior or another member of Shumaker's Financial Services team.