Skip to main content

The New Regulation S-P Framework: Lessons Learned So Far

July 9, 2026


There is always a learning curve, and investment advisers are quickly climbing it when it comes to the changes to Regulation S-P, which became effective for larger advisers this past December and for smaller advisers in June.

At the Investment Adviser Association’s 2026 Investment Adviser Compliance Conference, held in Washington, D.C., in March, Casey Jennings of Seward & Kissel, Joseph Murphy of the SEC Division of Examinations, and Mike Pappacena of ACA Group discussed early lessons from advisers already subject to the revised data protection rule. Their discussion was moderated by Tracy Soehle of the IAA.

Understand the requirements

The requirements of the new rule are quite broad, beginning with the concept of “customer information,” defined here for the first time as “any nonpublic information about the customer of a financial institution.” Soehle emphasized that this definition covers all nonpublic information about individuals in an adviser’s possession, regardless of whether the individual is a client of the adviser. As a result, Jennings argued, even firms with only institutional clients could still possess information that makes them subject to the rule.

As background, Jennings reviewed the four key elements of the revised framework.

Incident response programs. Advisers must have an incident response program that helps them “detect, respond to, and recover from unauthorized access to or use of ‘customer information.’” This program must be in writing and tailored to the adviser’s specific risks.

Data breach notification requirement. The revised regulation adds a federal requirement to existing state regulations to inform individuals of breaches that affect their sensitive data. The threshold for notification – whenever there is a risk of “substantial harm” to the individual as a result of the breach – is more stringent than many current state requirements.

Service provider oversight. The new framework adds a requirement that service providers notify the adviser of data system breaches within 72 hours of becoming aware of them. Advisers must ensure that service providers will provide timely notification, either through contract provisions or appropriate due diligence. Jennings suggested that, at a minimum, advisers specifically discuss this requirement with service providers and document the conversation.

Recordkeeping. In addition to establishing specific time periods for record retention, the revised regulation requires advisers to adopt policies and procedures for the “proper disposal” of customer information and to ensure that their service providers do the same.

Overall, Jennings concluded, the new requirements are keeping pace with an evolving threat environment, where “one bad click can equal a big-time data breach.” Given that “data risk is an existential risk for financial institutions,” the changes are needed, but compliance will still be challenging for many advisers.

Know your data

Addressing the compliance challenges “starts with data governance,” argued Pappacena. Advisers need to understand what customer information the firm holds and know exactly where it resides in its systems, whether in in-house file systems, email inboxes, or with service providers, and how it is protected. “There’s a plethora of places where that information can live.”

However, “even larger firms don’t necessarily have a robust data map,” Pappacena noted.

While mentioning that data mapping is not required under the rule, the SEC’s Murphy observed that it can be a “useful exercise” that helps the adviser “understand inflow and outflow.” The SEC’s exam staff may request a data map when reviewing compliance with Regulation S-P, Murphy noted, though he added that advisers can provide the relevant information to exam staff in other forms.

“Be holistic” when developing a data map, Pappacena suggested. For example, think about how data on a laptop might sync to a cloud storage database, and be sure to include information handled by service providers.

Build out your plan

In addition to mapping their data, advisers need to “enhance their incident response plan to a true program,” argued Pappacena.

Advisers should consider how they will detect a data breach, making sure they understand how warning systems work and have a plan for monitoring. If a breach occurs, advisers should have plans in place for containing it to prevent further data loss while escalating awareness as appropriate.

At the same time, advisers should review their existing service provider oversight programs. Are all vendors included, from name-brand cloud providers to niche analytics firms? Vendors with administrator access should be an area of particular focus. For smaller advisers, these vendors might set up core IT systems, including email services and online files, manage access to those systems, and provide help desk support.

In sum, Pappacena cautioned, it’s the “entire system that firms need to think about.” “It’s a big step for everybody,” Jennings agreed.


You are now leaving Investment Adviser Association

The IAA provides links to web sites of other organizations in order to provide visitors with certain information. A link does not constitute an endorsement of content, viewpoint, policies, products or services of that web site. Once you link to another web site not maintained by the IAA, you are subject to the terms and conditions of that web site, including but not limited to its privacy policy.

You will be redirected to

Click the link above to continue or CANCEL

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.