Who may be interested: Investment Companies; Investment Advisers; Broker-Dealers; Transfer Agents
Quick Take: The compliance deadlines for the SEC’s amendments to Regulation S-P are approaching. The compliance deadline for larger entities is set for December 3, 2025, and the deadline for smaller entities is June 3, 2026.
In 2024, the SEC adopted amendments to Regulation S-P imposing new data privacy and security requirements on broker-dealers, registered investment advisers, investment companies, and transfer agents (collectively, Covered Entities).
The SEC’s Regulation S-P amendments, among other things, require Covered Entities to adopt an incident response program to detect, respond to, and recover from a breach of customer information; notify affected individuals when a data breach has, or is reasonably likely to have, occurred; enhance their oversight of service providers; and maintain records documenting compliance with the amendments.
A Covered Entity’s incident response program must include procedures to: (i) assess the nature and scope of any incidents involving the unauthorized access to or use of customer information and identify the systems and types of customer information possibly accessed or used; (ii) contain and control such an incident to prevent further unauthorized access or use; and (iii) notify customers whose sensitive customer information is, or is reasonably likely to have been, accessed or used without authorization. A Covered Entity must provide notice to affected individuals as soon as practicable but no later than 30 days after discovering a breach has occurred or is reasonably likely to have occurred.
In addition, the amendments require incident response programs to include policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers, and to provide any required notices to affected individuals.
Large entities, which include fund complexes with net assets of $1 billion or more in assets under management (AUM) and registered investment advisers with $1.5 billion or more in AUM, must comply by December 3, 2025, while smaller entities must comply by June 3, 2026.
S&K’s blog post, issued on June 7, 2024, on SEC’s amendments to Regulation S-P can be found here.
For a more detailed discussion of the amendments to Regulation S-P, see S&K’s client alert, published on May 23, 2024, here.
The SEC’s adopting release can be found here.