SEC Regulation S-P Amendments: New Incident Response Program Requirements

In May 2024, the U.S. Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P, requiring registered investment advisers (RIAs) to adopt written incident response program policies and procedures. Each RIA’s incident response program will be required to have written policies and procedures to:

1. assess the nature and scope of an incident,
2. contain and control the incident, and
3. notify each affected individual.

RIAs with $1.5 billion or more in assets under management must adopt an incident response program by December 3, 2025, while those with less than $1.5 billion in assets under management will have until June 3, 2026.

Assessment

The incident response program must include procedures for:

1. assessing the nature and scope of any incident involving unauthorized access to or use of customer information, and
2. identifying the customer information systems and types of customer information that may have been accessed or used without authorization.

The assessment requirement is intended to identify affected customer information systems and data, determine any unauthorized access or use, and establish the specific customers impacted.

Containment and Control

An incident response program must include procedures to contain and control security incidents and prevent further unauthorized access or use of customer information. Incident response strategies vary by incident type and may involve isolating compromised systems, identifying additional breaches, resetting credentials and keys, or disabling default accounts.

Notification

RIAs must notify each individual whose sensitive information was, or was reasonably likely, accessed or used without authorization, unless a reasonable investigation finds sensitive information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

Service Providers

Each incident response program must include policies and procedures designed to oversee service providers. The policies and procedures must be reasonably designed to ensure service providers take appropriate measures to:

1. protect against unauthorized access to or use of customer information, and
2. provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.

As part of their incident response programs, RIAs may enter into written agreements allowing service providers to notify affected individuals on behalf of the RIA. However, RIAs remain responsible to ensure that affected individuals are properly notified.