The 2024 SEC Regulation S-P amendments changed what registered investment advisers are required to maintain.
SEC Regulation S-P investment adviser cybersecurity obligations changed significantly with the amendments that took effect in 2024. For registered investment advisers, SEC Regulation S-P compliance requirements 2024 now include a written incident response program, a defined capability to notify affected individuals within 30 days of a breach, and oversight obligations that extend to service providers with access to customer information.
The gap that many registered firms now face is not a lack of awareness. Most investment advisers know the amendments exist. The gap is operational: having a written incident response policy is not the same as having the detection capability, the data inventory, the notification procedures, and the tested recovery process that making a 30-day notification under pressure actually requires.
What the 2024 SEC Regulation S-P Amendments Added
The SEC’s amended Regulation S-P significantly expanded what registered investment advisers are required to maintain. The original rule required financial institutions to provide privacy notices to customers and maintain reasonable safeguards for customer records.
The 2024 amendments added three material requirements.
Investment Adviser SEC Cybersecurity Requirements – The Gap Between Policy and Capability
Investment adviser SEC cybersecurity requirements were significantly strengthened by the 2024 Regulation S-P amendments – and the requirement that matters most operationally is not the written incident response program, but the 30-day notification obligation that accompanies it. A written plan satisfies the documentation requirement. The 30-day notification obligation requires something more: the firm must be able to detect a breach, scope the affected data accurately enough to identify which customers are affected, and execute notification within a fixed window – under conditions that are by definition disruptive.
Each step in that sequence depends on capabilities that must exist before the incident occurs. Detection requires monitoring that is in place and generating actionable alerts. Scoping requires a current data inventory that accurately reflects where customer information is stored, processed, and transmitted. Notification requires current contact information and a defined notification procedure. None of these can be assembled under the pressure of an active incident.
For private markets investment advisers managing fund-of-funds, co-investment structures, and advisory accounts, the scoping challenge is particularly significant. Customer information may reside across fund administration platforms, investor portals, CRM systems, document management environments, custodian data feeds, and the systems of outside service providers. Accurately mapping that landscape – and keeping it current as the firm’s systems and service relationships change – is a prerequisite for executing the notification obligation that the amended rule now requires.
GLBA Financial Services Cybersecurity Obligations and How They Relate
GLBA financial services cybersecurity obligations apply to registered investment advisers independently of SEC Regulation S-P. And the two frameworks have meaningful overlap. GLBA, through the FTC’s Safeguards Rule, requires a written information security program addressing nine specific elements including risk assessment, access controls, encryption, MFA, vendor oversight, penetration testing, and incident response planning. That incident response planning requirement has always existed under GLBA. SEC Regulation S-P’s 2024 amendments add a notification obligation and a more specific program requirement on top of it.
A firm that has built a functioning GLBA managed IT security program – one that addresses incident response, vendor oversight, and access controls as operational practices rather than documented commitments – is well positioned to meet SEC Regulation S-P compliance requirements, because the underlying capabilities overlap substantially. The 30-day notification obligation is the most operationally distinct addition. Meeting it requires that the GLBA incident response program includes the data inventory, the scoping methodology, and the notification procedure that the SEC rule now specifically requires.
For registered investment advisers that have not formally assessed their GLBA compliance posture, the FTC Safeguards Rule Compliance page documents the full nine-element framework and what operational compliance requires. The IT Security Services for Financial Services Firms page provides a detailed account of how those obligations translate into the specific security conditions of financial services environments.
What Registered Investment Adviser IT Security Requires in Practice
Registered investment adviser IT security that satisfies both GLBA and SEC Regulation S-P obligations requires more than documentation. It requires IT security practices that function consistently, a data environment that is well enough understood to be accurately scoped in an incident, vendor relationships that are contractually governed for security, and an incident response capability that has been tested rather than assumed.
The firms that will struggle with SEC Regulation S-P’s 30-day notification requirement are not those that lacked awareness of it. They are those whose IT security environment was not structured around the capability that meeting it demands. Building that capability before an incident is considerably more manageable than attempting to demonstrate it after one.
For registered investment advisers that have not recently examined whether their current security posture meets the operational demands of their regulatory obligations, an introductory conversation is a practical starting point. The goal is not to create compliance overhead — it is to ensure the firm’s security environment actually supports the obligations it carries.