- with readers working within the Media & Information and Securities & Investment industries
As a reminder, "Larger Entities," including registered investment advisers with $1.5 billion or more in assets under management and any broker-dealer that is not a small entity under the Exchange Act (generally, any broker-dealer with more than $500,000 in total capital), must comply with revised Regulation S-P beginning on Dec. 3, 2025.
Smaller registered investment advisers and broker-dealers will need to start complying with revised Regulation S-P beginning on June 3, 2026.
Key Changes
The amendments to Regulation S-P (the "Amendments") require that covered firms take a number of steps, including:
- Developing and implementing written policies and procedures for an incident response plan;
- Developing and implementing written policies and procedures providing for service provider oversight, including procedures reasonably designed to ensure service providers notify covered firms within 72 hours of security breaches involving "customer information systems"; and
- Notifying customers (including customers of certain other financial institutions) within 30 days in the event their "sensitive customer information" has been compromised.
The Amendments also broaden the scope of information covered by Regulation S-P, implement additional recordkeeping obligations for covered institutions, and provide an exception to the annual privacy notice delivery requirement.
MWS has already begun working to help firms meet these new requirements, including:
- Updating Incident Response Plan documentation; and
- Developing procedures and documentation regarding service provider outreach.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.