The Securities and Exchange Commission's Regulation S-P has governed the privacy and security of customer financial information since its adoption in 2000 under the Gramm-Leach-Bliley Act. For more than two decades, the rule established baseline requirements for safeguarding nonpublic personal information held by registered investment advisers, broker-dealers, and investment companies. In 2023, the SEC proposed — and subsequently finalized — sweeping amendments that substantially expand those requirements, bringing them closer in scope to what the NY DFS Cybersecurity Regulation (23 NYCRR 500) already demands from covered financial institutions in New York.
If your firm is a registered investment adviser, broker-dealer, transfer agent, or investment company, understanding what Reg S-P now requires is not optional. The SEC has made enforcement a priority, and the combination of an aging IT environment with a newly expanded safeguards rule creates real exposure.
What Reg S-P Covers
Regulation S-P, codified at 17 CFR Part 248, applies to broker-dealers, investment companies, registered investment advisers (RIAs), and transfer agents registered with the SEC. The core obligation is the Safeguards Rule: covered entities must adopt written policies and procedures reasonably designed to protect customer records and information from unauthorized access or use that could result in substantial harm or inconvenience.
The 2023 amendments extend this framework in four critical directions:
- Incident response program: Firms must now establish, maintain, and enforce a written incident response program addressing detection, containment, recovery, and review of cybersecurity incidents involving customer information.
- Customer notification: When a covered institution experiences a data breach involving customer information, it must notify affected customers no later than 30 days after discovering the breach — a hard deadline with limited exceptions.
- SEC notification: Firms must promptly notify the SEC of any significant cybersecurity incident. The amended rule operationalizes what "promptly" means through specific Form ADV and Form BD reporting requirements.
- Service provider oversight: Firms must now contractually require service providers that access customer information to implement safeguards equivalent to those required of the firm itself, and must periodically assess those providers.
The 2023 Amendments: What Changed
The original 2000 rule was largely principles-based. The 2023 amendments add prescriptive technical requirements that align Reg S-P more closely with NIST frameworks and contemporary security expectations. Key additions include:
Annual Review Requirement
Covered firms must conduct an annual review of their information security program and update written policies and procedures to reflect material changes in operations, services offered, and the threat environment. This review must be documented and available for examination.
Technical Safeguard Requirements
The amended rule specifies that information security programs must include, at minimum: access controls limiting access to customer information on a need-to-know basis; encryption of customer information in transit and at rest; multi-factor authentication for remote access; regular vulnerability assessments and penetration testing; and secure software development practices for internally developed systems.
If your firm has not recently conducted a network penetration test, the annual review requirement and the technical safeguard requirements together create a clear expectation that one is overdue.
Vendor Oversight Obligations
The service provider oversight requirements are among the most operationally demanding changes. Firms must maintain an inventory of service providers that receive, maintain, or access customer information; conduct due diligence before engaging new providers; include contractual provisions requiring equivalent safeguards; and periodically — at minimum annually — assess provider security posture.
Overlap With NY DFS 23 NYCRR 500
For firms operating in New York, Reg S-P's expanded requirements create meaningful overlap with the NY DFS Cybersecurity Regulation. Both frameworks now require: a written cybersecurity policy; an incident response plan; third-party service provider security policies; MFA for privileged access; encryption of nonpublic information; and regular penetration testing and vulnerability assessments.
The practical implication is that a firm subject to both rules can design a single integrated program that satisfies both — avoiding the compliance overhead of maintaining parallel programs. A virtual CISO engagement is an efficient mechanism for firms that lack in-house security leadership to build and maintain this integrated program.
Who Is Covered
Coverage under Reg S-P extends to:
- SEC-registered investment advisers (RIAs) — including advisers to private funds
- Registered broker-dealers under the Securities Exchange Act
- Registered investment companies (mutual funds, closed-end funds, ETFs) and business development companies
- Transfer agents registered with the SEC or a federal banking agency
State-registered investment advisers fall under state-level equivalents, and in New York, the SHIELD Act and DFS rules provide parallel obligations. Advisers managing less than $100 million in AUM who are registered only with their home state are not subject to SEC Reg S-P, but are subject to state-level equivalents.
Enforcement and Penalties
SEC enforcement of cybersecurity requirements has accelerated significantly since 2020. The Commission has used existing authority under Section 17(a) of the Securities Exchange Act to pursue firms that failed to implement adequate safeguards, resulting in fines ranging from several hundred thousand dollars to multi-million dollar settlements. The 2023 amendments create more specific obligations, which means enforcement staff have clearer benchmarks against which to measure firm conduct.
Firms should be particularly attentive to examination readiness. SEC examination staff will request incident response plans, evidence of annual reviews, vendor contracts, and documentation of technical safeguard implementation. Gaps between policy and practice — written policies that do not reflect actual controls — are a primary enforcement trigger.
If your firm is preparing for a Reg S-P compliance assessment or needs help designing an information security program that satisfies both SEC and NYDFS requirements, contact Fortress MSSP for a confidential consultation.