Rimon
Home News
 Save as PDF
 RSS Feed Subscribe

SEC’s Regulation S-P Amendments: Key Compliance Requirements and Practical Implications for RIAs

Insights SEC’s Regulation S-P Amendments: Key Compliance Requirements and Practical Implications for RIAs Elimu Kajunju · SEC’s Regulation S-P Amendments: Key Compliance Requirements and Practical Implications for RIAs Nicole Kuchera · April 2, 2026

The SEC’s amendments to Regulation S-P, adopted May 16, 2024, substantially expanded privacy obligations for certain covered institutions, which includes SEC registered investment advisers (RIAs).

Large RIAs (≥$1.5 billion in regulatory assets under management) had to comply since December of 2025 and smaller RIAs must comply effective June 3, 2026.

There are five key tenets of the amendment:

  • Expanded definition of information covered by the regulation to include all nonpublic personal information in an RIA’s possession
  • Requiring implementation of an incident response program
  • Creation of procedures to notify customers within 30 days of a breach
  • Establishment of vendor management programs to ensure vendors protect data in their possession and notify the RIA within 72 hours
  • Documented evidence of compliance with the above

The above tenets have important implications that are not directly stated in the regulation:

  • To have an effective incident response program, you need a robust information security program that includes the right processes, technology, and people to able to deter, detect, respond, and recover from incidents.
  • Managing an effective vendor risk management program requires a level of organization that even many large RIAs fail to have, such as identifying and implementing proper tools and hiring individuals to make important risk decisions.
  • Artificial intelligence has made it easier for bad actors to compromise your systems. Fortunately, AI has also been used by security vendors to improve their offerings. Smart use of AI is required to address this risk that is morphing quickly.
  • To make all of the above work, you need a competent and empowered staff to build and maintain an effective program that is robust and resilient, as well as sufficient oversight and policies.

 

This summary is provided for informational purposes only and is not intended to constitute legal advice nor does it create an attorney-client relationship with Rimon, P.C. or its affiliates.

Contact:

Elimu Kajunju
Partner
Send Email
(404) 383-2592
Nicole Kuchera
Partner
Send Email
(808) 808-5120

Related

© 2026 Rimon, P.C. - San Francisco, CA. All Rights Reserved.

Rimon Law
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.