The SEC adopted amendments to Regulation S-P (Privacy of Consumer Financial Information) on May 16, 2024, representing the first major update to the rule since its adoption in 2000. These amendments modernize privacy protections to address current cybersecurity threats facing the financial services industry.
## Key New Requirements
The amendments establish several critical new obligations for covered institutions:
- Incident Response Program: Develop, implement, and maintain written policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access to customer information
- Data Breach Notification: Notify affected individuals within 30 days of discovering unauthorized access to sensitive customer information
- Service Provider Oversight: Require written agreements with service providers that handle customer information, including 72-hour breach notification provisions
- Enhanced Safeguards: Adopt written information security policies covering administrative, technical, and physical safeguards
- Recordkeeping: Maintain documentation of compliance including policies, incident reports, and notifications
## Compliance Deadlines
The amendments include tiered compliance periods: 18 months for larger entities (December 3, 2025) and 24 months for smaller entities (June 3, 2026).
## Vendor Management Impact
The service provider oversight requirements are particularly significant. Firms must review and update all vendor agreements to include data protection provisions and the 72-hour breach notification requirement. This affects relationships with custodians, technology providers, cloud services, portfolio management systems, and any third party that accesses or maintains customer information.
## What Firms Should Do Now
Investment advisers should conduct a comprehensive data inventory, assess current information security practices, update or create incident response plans, review all service provider agreements, and implement the necessary recordkeeping procedures. Firms that have not begun this process should engage compliance counsel or consultants immediately.