As the final compliance deadline for the amended Regulation S-P quickly approaches, we’re here to help your firm develop and implement thoughtful and practical policies and procedures.   

Regulation S-P Amendments

What is it? As an update to our October 2025 Compliance Alert, we wanted to remind firms that the SEC adopted amendments to Regulation S-P, which governs privacy for investment advisers. The amendments aim to fortify existing client data protection obligations, impose formal requirements for service provider oversight, and ensure timely and consistent incident response and notification about data breaches.  

What are the compliance deadlines? Larger entities, including registered investment advisers with $1.5 billion or more under management, were required to comply by December 3, 2025. Other investment advisers registered with the U.S. Securities and Exchange Commission are required to comply by June 3, 2026. State registered investment advisers are not subject to these amendments; however, they remain subject to state privacy and data breach laws.  

How do you comply with the amended rule? To ensure a smooth transition, we’re recommending that advisers update their privacy policies and procedures in advance of their respective compliance deadlines. Those policies and procedures should be guided by the adopting release to the amended rule, tailored to your firm’s actual privacy practices, and address the following updated requirements:  

• Written Incident Response Plan – Advisers must maintain and implement a documented plan for detecting, responding to, and recovering from data breaches or unauthorized access. 

• Client Notification – If “sensitive customer information” is compromised, advisers must generally notify affected clients within 30 days of determining that unauthorized access has occurred. 

• Service Provider Oversight – Advisers must take reasonable steps to ensure third-party service providers who manage certain data maintain comparable safeguards and promptly notify the adviser about certain types of security breaches. 

• Expanded Safeguard Expectations – The amendments codify specific administrative, technical, and physical safeguards to protect both current and former clients’ information. 

What are your next steps? If you are a fixed fee client who engaged us to maintain your firm’s policies and procedures manual, rest assured we are already making the necessary adjustments and will be reaching out to you shortly. This is part of our ongoing commitment to keep you ahead of the regulatory curve.  

Other firms can reach out to your primary contact at RIA Lawyers or email us at [email protected] if you need any help navigating these requirements.