Cyber security banner

SEC Finalizes Incident Response Planning Requirements for RIAs under Regulation S-P

Regulation S-P Requires Incident Response Plans for RIAs

On May 15, 2024, the Securities and Exchange Commission adopted amendments under Regulation S-P that mandate new requirements for registered investment advisers (RIAs) regarding incident response and cybersecurity incident disclosure.

Regulation S-P, established in 2000, includes provisions including the “safeguards rule” and the “disposal rule”, which require RIAs, broker-dealers and investment companies to adopt written policies and procedures to safeguard customer information as well as properly dispose of consumer report information.

New requirements under Regulation S-P include:

  • A formal incident response program, including written policies and procedures;
  • Notification of cybersecurity incidents to affected individuals within 30 days;
  • Oversight and due diligence of third party service providers; and
  • Recordkeeping of all compliance related to Regulation S-P requirements.

Incident Response Planning for RIAs

Covered entities will be required to establish and maintain a comprehensive incident response program designed to detect, respond to and recover from a security incident or breach of customer information. Written policies for incident response should include procedures for both assessing the nature and scope of the incident as well as containing and preventing further incidents or unauthorized access.

Cybersecurity Incident Disclosure

In the event that sensitive customer information is accessed or used by unauthorized parties, covered entities will be required to notify impacted individuals within 30 days of being made aware of the incident. RIAs and other covered parties will not be required to provide notification when a determination has been made that the incident has not or will not result in substantial harm or inconvenience.

Third Party Due Diligence & Oversight

As part of the incident response program, RIAs and investment companies will need to establish, maintain and enforce written policies and procedures focused on the monitoring, oversight and due diligence of third-party service providers. This includes requiring service providers to disclose security incidents within 72 hours after detection of a breach or compromise impacting customer information.

Next Steps for SEC Compliance Readiness

The amendments to Regulation S-P will take effect 60 days after publication in the Federal Register. Larger entities (defined as RIAs exceeding $1.5b AUM or investment companies with $1b+ in net assets) will have 18 months from the effective date to comply, while smaller entities will have 24 months.

Need help with your incident response plan?
Omega Systems is an award-winning MSP/MSSP and has significant expertise advising RIAs and other investment management firms regarding cybersecurity measures and SEC compliance. If you require assistance with creating or enhancing your incident response plan per the SEC’s new requirements, please contact our team.

Contact Us

Previous ArticleWhat Is Shadow IT? Examples & Risks Explained
Next Article Omega Systems Ranks on CRN’s 2024 Solution Provider 500 for Third Consecutive Year
Your Website Title Incident Response Requirements for RIAs under Regulation S-P