Client Alert: Large Registered Investment Advisers Must Comply with SEC Regulation S-P Amendments by Dec. 3, 2025

Large registered investment advisers with $1.5 billion or more in assets under management are reminded that they must comply with the SEC’s recent amendments to Regulation S-P by December 3, 2025. These amendments, adopted in May 2024, impose new requirements for safeguarding customer information, responding to data breaches, and providing timely notice to affected individuals. The changes are part of the SEC’s broader push to modernize data protection standards across the financial industry, with compliance deadlines varying by firm size.

Introduction

The SEC’s amendments to Regulation S-P mark a major shift in how financial institutions are expected to safeguard customer information. Originally adopted in 2000, Regulation S-P was designed to protect the privacy of consumer financial data. In response to evolving cybersecurity threats and increased data breaches, the 2024 amendments modernize the rule by mandating proactive incident response planning, expanding the definition of protected information, and imposing stricter obligations to notify individuals affected by a data breach. These changes aim to enhance consumer protection and create a more uniform national standard for handling sensitive financial data.

Who is affected by the amendments?

The amendments will apply to brokers and dealers, funding portals, investment companies, investment advisers registered with the Commission, and transfer agents registered with the Commission or another appropriate regulatory agency (collectively as “covered institutions”).

What is the scope of information protected by the amendments?

The amendments clarify and expand the types of information that must be protected under
Regulation S-P.

• Customer Information for all covered institutions (except transfer agents) refers to any record containing nonpublic personal information about a customer of a financial institution, that is in the covered institution’s possession or that is handled or maintained by the covered institution or on its behalf.
• Sensitive Customer Information is a subset of customer information either alone or in conjunction with any other information, could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information if it were compromised. This includes
  • Information uniquely identified with an individual that is reasonably likely to be used as a means of authenticating that individual’s identity, such as a Social Security number.
  • Information identifying an individual or the individual’s account, such as a user name or account number, in combination with other information that could be used to gain access to a customer’s account, such as a security code or credit card expiration date.

What do the amendments require?

The amendments impose several new obligations on covered institutions, including:

1. Incident Response Program: Firms must implement written policies and procedures to detect, respond to, and recover from unauthorized access to customer information. The incident response program must include procedures to assess the nature and scope of any such incident and to take appropriate steps to contain and control such incidents to prevent further unauthorized access or use.
2. Customer Notification: If sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, the firm must notify affected individuals as soon as practicable, and no later than 30 days after becoming aware of the incident, subject to limited exceptions. The notices must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves.
3. Service Provider Oversight: The amendments also require the incident response program to include the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers.
4. Expanded Scope and Recordkeeping: The safeguards and disposal rules now apply to information received from other financial institutions and explicitly extend to transfer agents. Most covered institutions must also maintain written records documenting their compliance with the rule.

When must a covered institution begin to comply with the amendments?

The amendments become effective 60 days after publication in the Federal Register on June 3, 2024. Larger entities, including registered investment advisers with at least $1.5 billion in regulatory assets under management, must comply by December 3, 2025 (18 months from the effective date). Smaller Entities have until June 3, 2026 (24 months from the effective date) to comply.

Contact

Contact us today to discuss how the amended Regulation S-P can impact your firm and ensure your data protection and incident response programs remain fully compliant and effective. Our specialists are available to help you assess your current policies and procedures, update vendor oversight and breach notification protocols, and develop comprehensive compliance strategies tailored to your firm’s size and risk profile.

This article was written by Xiaoyang Li. For more information, contact xiaoyang@bull-legal.com or schedule a consultation.

This article is for informational purposes only and does not constitute legal advice. For specific advice regarding your situation, please consult qualified counsel.

Bull Blockchain Law LLP is a boutique law firm dedicated to advising clients at the intersection of digital assets, fintech, and financial regulation. If you have questions about how these developments may impact your business, please contact any member of our team directly or schedule a consultation.

© 2025 Bull Blockchain Law LLP. All Rights Reserved. Attorney Advertising.