Reg S-P’s Impact on Service Providers of In-Scope Covered Institutions
3:05
Author: Kenyon Shubert
In May of 2024, the Securities and Exchange Commission (“SEC”) announced its adoption of amendments to Regulation S-P (“S-P Amendments”) aimed at enhancing protections for customer information. With the compliance date of those changes now imminent, it is important for covered institutions and their service providers to understand their new obligations under the S-P Amendments.
In its press release 2024-58, the SEC explained that the S-P Amendments were aimed at addressing “the expanded use of technology and corresponding risks that have emerged since the Commission originally adopted Regulation S-P in 2000.” In pursuit of those goals, the S-P Amendments introduce new requirements for covered institutions, including Registered Investment Advisers (“RIAs”) and Exempt Reporting Advisers (“ERAs”), to develop an incident response program to detect, respond to and recover from data breaches, and to conduct due diligence and ongoing monitoring of service providers who have access to customer information. Should a service provider give an RIA or ERA notice of a breach, the RIA or ERA is required to initiate their incident response program, and, if applicable, provide notice to impacted individuals.
Oversight of Service Providers
As a result of their broad language, many private fund service providers are in scope for oversight under the S-P Amendments: they require RIAs and ERAs to have procedures that call for overseeing firms that receive, maintain, process or access customer information, with the goal of the oversight being to gain reasonable assurance that each firm will take appropriate measures to protect against unauthorized access to or use of customer information and to provide notification within seventy-two (72) hours in the event of a breach of security. Due diligence and monitoring are two ways to effectuate this oversight – for example, by increasing due diligence as it relates to cybersecurity controls and data privacy procedures by asking for specific documentation related to these areas, or by conducting an interview or hosting annual check-ins to discuss them in detail. Further, while only certain service providers might agree to them, many RIAs and ERAs may seek to shore up the representations made in due diligence with contractual commitments.
Compliance Dates
Larger covered entities—RIAs with $1.5 billion in assets under management, investment companies with $1 billion in net assets, and all broker-dealers that are not small institutions under the Securities Exchange Act of 1934—must comply with the S-P Amendments by December 3, 2025. All other covered institutions, including many smaller alternative investment advisers, must comply by June 3, 2026. Be sure to speak with your service providers ahead of the applicable deadline to put your firm in the best position to address these new obligations effectively.
