In May 2024, the Securities and Exchange Commission (the “SEC”) adopted amendments to Regulation S-P (the “Amendments”). Compliance with the Amendments is set to become mandatory on December 3, 2025 for most entities covered by the rule. Notably for our clients, investment advisers to private funds with $1.5 billion or more in assets under management are covered by the rule and will be required to comply beginning December 3.[1]
Regulation S-P, originally adopted in 2000, governs how covered financial institutions must safeguard the nonpublic personal information of natural persons. The Amendments aim to enhance these protections to better address the risks posed by modern technology by imposing new written program, notification, and recordkeeping requirements.
Key Amendments for Investment Advisers to Private Funds
The Amendments require investment advisers (“Advisers”), including investment advisers to private funds, to develop, implement, and maintain written policies and procedures that address the following:
- Safeguards for Customer Information
Advisers must implement safeguards reasonably designed to protect Customer Information[2] by ensuring its security and confidentiality, preventing anticipated threats or hazards to its integrity, and guarding against unauthorized access or use.
- Incident Response Programs
Advisers must have in place programs reasonably designed to detect, respond to, and recover from unauthorized access to or use of Customer Information. Notably, the Amendments require Advisers to develop, implement, and maintain written policies and procedures reasonably designed to ensure that the Adviser can satisfy the notification requirement described below, including requiring that service providers to the Adviser provide written notification to the Adviser of unauthorized access to the Adviser’s Customer Information maintained by the service provider within 72 hours of becoming aware of such unauthorized access. While this obligation need not be part of a written contract with the service provider, many Advisers are reaching out to each of their service providers to inform them of the new requirement and request confirmation that the service provider will comply with this timeline.
- Notification to Individuals Affected by an Incident
If an incident of unauthorized access to or use of Customer Information has occurred or is reasonably likely to have occurred, Advisers must provide timely notice (i.e., as soon as practicable but not later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred) to each individual whose sensitive Customer Information was, or is reasonably likely to have been, accessed or used without authorization.
- Proper Disposal of Information
Advisers must properly dispose of Consumer Information,[3] a term that is slightly narrower than Customer Information, by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. While the SEC did not prescribe specific disposal methods, the Amendments signal that these could include shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable, undecipherable or nonreconstructable through generally available means.
- Recordkeeping
Advisers must maintain written records documenting compliance with the Amendments, including copies of relevant policies and procedures, incident reports, and notifications provided to affected individuals.
Next Steps for Advisers to Private Funds
Advisers should review their existing cybersecurity and data protection policies and procedures to ensure they align with the amended Regulation S-P. In particular, Advisers with AUM over $1.5 billion should ensure that their written policies and procedures governing incident response, notification, service provider oversight, and recordkeeping meet the new requirements before the December 2025 compliance date as SEC examinations conducted over the following months will likely assess Advisers’ preparedness for compliance with the amended Regulation S-P framework. Though the primary requirements of the Amendments only apply to information relating to natural persons, Advisers whose clients are all private funds with institutional investors must still adopt changes to their policies and procedures (even though such policies may never actually be triggered due to the absence of natural person investors).
Earlier this year, the SEC hosted informational sessions about the amendments and what to expect during examinations that cover Regulation S-P. Recordings of such sessions are available on the .
Key Takeaways
- Compliance deadline: Investment advisers with AUM over $1.5 billion must comply with the Amendments by December 3, 2025; smaller institutions have until June 3, 2026.
- Expanded requirements: Advisers must maintain written policies and procedures addressing Customer Information safeguards, incident response, notification, service provider oversight, disposal, and recordkeeping.
- New notification obligations: Advisers must notify affected individuals within 30 days of determining that unauthorized access to or use of Customer Information occurred or is likely to have occurred.
- Regulatory focus: SEC examinations will likely prioritize assessing Advisers’ compliance readiness with the amended Regulation S-P framework.
The past several years have marked a momentous period for privacy law. In addition to the Amendments, new state legislation and high-stakes litigation are shaping (or reshaping) the landscape, and many of these actions could apply to Advisers’ privacy and data security practices. Advisers with further questions are encouraged to contact their normal Proskauer team and to monitor the blog.
___________
[1] Compliance for certain other entities will also be required as of December 3, including investment companies with net assets of at least $1 billion as of the most recent fiscal year end, broker-dealers with total capital equal to or greater than $500,000 and transfer agents that transferred or processed 500 or more items in the previous year or maintained shareholder files for at least 1,000 shareholder accounts. Smaller firms that do not meet the above thresholds must begin complying on June 3, 2026.
[2] For investment advisers, “Customer Information” means any record containing nonpublic personal information as defined in 17 C.F.R. § about a customer of a financial institution, whether in paper, electronic or other form, that is in the possession of a Covered Institution or that is handled or maintained by the Covered Institution or on its behalf regardless of whether such information pertains to: (A) individuals with whom the Covered Institution has a customer relationship; or (B) the customers of other financial institutions where such information has been provided to the Covered Institution. (This definition is excerpted from 17 C.F.R. § ; the full definition also covers transfer agents.)
[3] “Consumer Information” means any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report, or a compilation of such records, that a Covered Institution maintains or otherwise possesses for a business purpose regardless of whether such information pertains to: (A) individuals with whom the Covered Institution has a customer relationship; or (B) the customers of other financial institutions where such information has been provided to the Covered Institution. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.