New Reg S-P Requirements for RIAs

The compliance deadlines for the SEC’s amendments to Regulation S-P, adopted on May 15, 2024, are approaching. For investment advisers with $1.5 billion or more in assets under management, the compliance deadline is December 3, 2025. Advisers with fewer than $1.5 billion in AUM have six more months, with a compliance deadline of June 3, 2026.

Critically, Reg S-P now requires RIAs to notify clients in the event of certain data breaches. Under the amended rule, RIAs must notify clients of any event that could endanger their personal data, unless the RIA has determined, after reasonable investigation, that sensitive client information has not been, and is not reasonably likely to be, used for substantial harm or inconvenience. Such notice must be sent as soon as practicable, and no later than 30 days after learning of the breach, to any affected or potentially affected clients. If the RIA cannot identify which clients may be affected, the RIA must notify all of its clients. Substantively, any such notification must:

1. Describe the breach and the type of client information that was or is reasonably believed to have been affected by the breach;
2. Describe what has been done to protect client information from further breach;
3. Include, if known, any of the following: the breach’s date, estimated date, or date range;
4. Include contact information for affected clients to ask the RIA for information and help regarding the breach, including the following: a phone number, an email address, a mailing address, and the name of a specific office to contact;
5. Recommend that the client review account statements and immediately report any suspicious activity to the RIA;
6. Explain fraud alerts and how clients may place them in their credit reports to notify creditors of potential fraud;
7. Recommend that clients regularly check credit reports from the major reporting agencies and delete information connected to fraudulent transactions;
8. Explain how clients can get free credit reports; and
9. Include information about the Federal Trade Commission (FTC) and online guidance from usa.gov about how clients can protect against identity theft, a statement encouraging clients to report any incidents of identity theft to the FTC, and include the FTC’s website address where clients can get government information about identity theft and report suspected identity theft.

At a September 25th, 2025 compliance outreach session, the SEC highlighted the Commission’s remaining points of emphasis in an examination. First, the SEC will be concerned with network security. Next, the SEC will be interested in reviewing the channels the RIA uses to transfer data. Specifically, the Commission will be looking at security when the RIA transfers data into and out of its network.

Examiners recommend using a risk matrix and also recommend they “go a little bit deeper” with their risk assessment than simple low, medium, or high designations. Lastly, SEC examiners stressed the need for heightened requirements monitoring third-party service providers. Examiners also emphasized ensuring that third-party service providers can detect and notify the RIA of a breach within 72 hours.

Finally, the SEC reiterated the importance of documenting each procedure, process, and precaution implemented by the adviser, as well as all decisions and actions taken in the notification process.

Any SEC-registered RIA should consult experienced legal counsel to ensure compliance with the amended Reg S-P before their compliance deadline.

Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including compliance with federal and state laws and rules. Please visit our website for more information.