Key Takeaways
- Regulation S-P requires privacy notices and opt-out rights for sharing with non-affiliates.
- 2024 Reg S-P amendments require breach notification within 30 days of discovery.
- Compliance deadline: December 3, 2025 for large advisers ($1.5B+ AUM).
- Initial privacy notice at account opening; annual notice no longer required in all cases.
- Safeguard Rule requires written policies for administrative, technical, and physical safeguards.
- Business continuity plans must address technology disruptions and disaster recovery.
- Identity theft prevention (Red Flags Rule) requires written program.
- Records of compliance must be maintained for 5 years.
Last updated: December 2025
Cybersecurity and Privacy
Investment advisers must protect client information and maintain robust cybersecurity programs under Regulation S-P and related rules.
Regulation S-P Overview
Regulation S-P implements the privacy provisions of the Gramm-Leach-Bliley Act for financial institutions regulated by the SEC.
Who is Covered?
| Covered Entities |
|---|
| SEC-registered investment advisers |
| SEC-registered broker-dealers |
| Registered investment companies |
| Transfer agents |
| Funding portals |
Privacy Notice Requirements
Initial Privacy Notice
| Requirement | Details |
|---|---|
| When | At account opening (before initial transaction) |
| Content | Information sharing practices |
| Format | Clear and conspicuous |
| Delivery | Written or electronic |
Annual Privacy Notice
Under the 2024 amendments:
- Annual notice is no longer required IF:
- Adviser has not changed privacy policies, AND
- Only shares information under exceptions to opt-out
Notice Content Requirements
Privacy notice must describe:
- Categories of nonpublic personal information (NPI) collected
- Categories of NPI disclosed
- Categories of affiliates and non-affiliates receiving NPI
- Consumer's right to opt out
- Policies for protecting NPI
Opt-Out Rights
Information Sharing Categories
| Category | Opt-Out Required? |
|---|---|
| With affiliates | Generally no (but marketing exception) |
| With non-affiliates | YES - must offer opt-out |
| For joint marketing | Exception applies |
| As required by law | No opt-out needed |
| Service providers | No opt-out needed |
Opt-Out Process
Clients must be given reasonable opportunity to opt out:
- Clear explanation of right
- Reasonable method to exercise (mail, phone, online)
- 30 days to respond before sharing
2024 Regulation S-P Amendments
Major Changes
| Change | Description |
|---|---|
| Incident response program | Written policies required |
| Breach notification | 30 days from discovery |
| Safeguard rule expansion | More specific requirements |
| Recordkeeping | Document compliance for 5 years |
Compliance Deadlines
| Entity Size | Deadline |
|---|---|
| Large advisers ($1.5B+ AUM) | December 3, 2025 |
| Small advisers (<$1.5B AUM) | June 3, 2026 |
Breach Notification Requirements
When unauthorized access to sensitive customer information occurs:
| Requirement | Details |
|---|---|
| Timing | Within 30 days of discovery |
| Recipients | Affected individuals |
| Content | Nature of breach, information involved, steps to protect |
| Method | Written notification |
Safeguard Rule
Written Policies Required
Advisers must adopt written policies addressing:
| Safeguard Type | Examples |
|---|---|
| Administrative | Employee training, access controls, risk assessment |
| Technical | Encryption, firewalls, authentication, intrusion detection |
| Physical | Facility security, device controls, document disposal |
Key Program Elements
| Element | Description |
|---|---|
| Risk assessment | Identify and assess risks to customer information |
| Safeguard design | Implement controls to address risks |
| Testing | Regular testing and monitoring |
| Service provider oversight | Ensure vendors protect information |
| Adjustments | Update program as risks change |
Disposal Rule
When disposing of customer information:
- Shred or burn physical documents
- Securely delete electronic records
- Ensure vendors follow disposal procedures
- Document disposal actions
Identity Theft Prevention (Red Flags Rule)
Program Requirements
Advisers who are "creditors" must have written identity theft prevention program:
| Component | Description |
|---|---|
| Identify red flags | Warning signs of identity theft |
| Detect red flags | Procedures to detect warning signs |
| Respond | Appropriate responses to detected red flags |
| Update | Periodic updates to program |
Common Red Flags
| Category | Examples |
|---|---|
| Alerts | Address discrepancy, fraud alert on credit report |
| Documents | Altered ID, photo doesn't match |
| Personal information | SSN doesn't match, address changes suddenly |
| Account activity | Unusual patterns, unauthorized transactions |
Business Continuity Planning
Required Elements
| Component | Purpose |
|---|---|
| Data backup | Protect client records |
| Alternate location | Continue operations after disaster |
| Communication plan | Notify clients and regulators |
| Key personnel | Succession and backup procedures |
| Testing | Regular plan testing |
| Vendor continuity | Ensure critical vendors have BCPs |
Testing Requirements
- Annual testing recommended
- Tabletop exercises
- Full simulation when possible
- Document results and improvements
Recordkeeping Requirements
| Requirement | Details |
|---|---|
| Duration | 5 years |
| First 2 years | Easily accessible place |
| Format | Electronic acceptable |
| Content | Policies, procedures, notifications, compliance documentation |
Cybersecurity Best Practices
| Practice | Description |
|---|---|
| Multi-factor authentication | For all system access |
| Encryption | Data at rest and in transit |
| Patch management | Timely software updates |
| Employee training | Regular security awareness |
| Vendor assessment | Due diligence on third parties |
| Incident response | Written procedures for breaches |
| Penetration testing | Regular security testing |
Exam Tip: Reg S-P requires privacy notice at account opening. 2024 amendments add BREACH NOTIFICATION within 30 days. Large advisers ($1.5B+ AUM) must comply by December 3, 2025. Opt-out applies to sharing with NON-AFFILIATES.
Loading diagram...
Test Your Knowledge
Under Regulation S-P, an investment adviser must provide a privacy notice to clients:
A
B
C
D
Test Your Knowledge
Under the 2024 Regulation S-P amendments, breach notification must be sent:
A
B
C
D
Test Your Knowledge
Large investment advisers with $1.5 billion or more in AUM must comply with the 2024 Reg S-P amendments by:
A
B
C
D
Test Your Knowledge
Clients have the right to opt out of information sharing with:
A
B
C
D