As a reminder, the SEC has adopted amendments to Regulation S-P, with key compliance deadlines fast approaching.
Who Is Affected?
- Larger Entities – SEC registered investment advisers with more than $1.5 billion AUM must comply by December 3, 2025
- Smaller Entities – SEC registered advisers with less than $1.5 billion AUM must comply by June 3, 2026
Key Requirements Under the Amendments
Covered firms must:
- Establish a Written Incident Response Program: Establish and maintain a written incident response program reasonably designed to detect, respond, and recover from unauthorized access to customer information.
- Provide Breach Notification within 30 Days: Notify affected individuals as soon as practicable, and no later than 30 days after discovery, if their sensitive information is accessed or reasonably believed to have been accessed without authorization.
- Oversee Service Providers: Conduct due diligence and ongoing monitoring of service providers to ensure they meet required information security standards and promptly notify of any breach.
- Maintain Relevant Records: Maintain books and records necessary to evidence compliance of the new rule.
Click here for the original press release.
