Skip to main content

IAA Calls on SEC for More Time on Reg S-P

July 30, 2025

Download PDF

The Honorable Paul S. Atkins
Chairman
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090

 

Re: Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information (File No. S7-05-23)

Dear Chairman Atkins:

The Investment Adviser Association (IAA)[1] remains committed to supporting efforts by the Commission to protect investors, investment advisers, other market participants, and the financial markets more broadly from the dangers presented by information security threats. We strongly support advisers being required to maintain the confidentiality of clients’ PII and to notify clients when their PII has been compromised. With that in mind, we write to reiterate our request for an extension of time to comply with the challenging new requirements under the final amendments to Regulation S-P (Amendments)[2] and to request certain clarifications and refinements.

Since the adoption of Regulation S-P in 2000, advisers have focused on meeting their obligation to develop and maintain policies and procedures to safeguard client information in ways that are tailored to their firms and the risks of inadvertent or unauthorized disclosure particular to their business operations. The Amendments introduce expansive new definitions and impose extensive and prescriptive notification and recordkeeping requirements, requiring advisers to overhaul processes and infrastructures to meet these new standards.

 

A. Request for extension of time

As the compliance dates for the Amendments fast approach,[3] the IAA reiterates our prior requests for a 12-month extension.[4] As discussed below, additional time is necessary for firms to complete their gap analysis, incorporate any changes to their policies, procedures, disclosures, and systems, work through their arrangements with service providers, operationalize and test updated processes, and train their personnel.

We also believe that an extension is necessary to give the Commission sufficient time to address the interpretive issues raised by the IAA and other industry groups. Following that, advisers should be given sufficient time to incorporate any clarifications or other refinements into their policies and procedures.

  • Conducting gap analysis, revising policies, procedures, and disclosures, modifying systems. The Amendments have added another layer of complexity to an already complicated patchwork of federal and state data privacy requirements. For instance, several states require written information security programs (WISPs) that contain requirements for data protection, incident response, and notification.[5] Many of our members have clients and offices in multiple states as well as internationally, which requires analysis of the nuances in each jurisdiction. Compliance with the Amendments requires thoughtfully working through definitional and other language differences in applicable requirements as well as addressing technical gaps. The overly prescriptive nature of certain aspects of the Amendments makes it more difficult to evaluate how they should be integrated and operationalized. Firms’ efforts generally also entail multiple layers of internal review and have frequently called for outside legal, consulting, and technical assistance, all of which take time.

Completing the gap analysis is only the first step. Policies and procedures must be reconciled, modified, and issued, and training conducted. Firms must not only evaluate and address jurisdictional differences but must also address non-privacy policies that could be affected (e.g., cybersecurity, risk management, and vendor due diligence policies). In addition, disclosures, incident response plans, and document destruction policies need to be reviewed and updated. Firms are facing an enormous challenge to complete a thoughtful analysis and implement a timely program within the remaining compliance timeframe.[6]

  • Negotiating terms with vendors. The Amendments require that advisers have policies and procedures reasonably designed to ensure that service providers provide advisers with notice of a data breach within 72 hours of becoming aware that a breach has occurred. Advisers must identify the vendor arrangements that are in scope of the Amendments and which of those need to be modified. While the Amendments do not explicitly require advisers to enter into written agreements or obtain reasonable assurances, as a practical matter for advisers to be in a position effectively to ensure that service providers provide the requisite notice they will likely need to negotiate or, in the case of existing agreements, renegotiate these terms as well as protocols for due diligence and ongoing monitoring.[7] We believe that our members will need more time to work with vendors to try to obtain their cooperation. More time should also help alleviate the additional burdens and costs to renegotiate any existing agreements that are outside of their ordinary renewal cycle.[8] In addition, smaller advisers would benefit from additional time in which new vendor practices could become standardized.
  • Overlapping implementation efforts. Over the past three-plus years, advisers have faced the prospect of several SEC and Treasury rules being adopted in short order, requiring firms to plan and budget for implementation of multiple significant rules at the same time. We very much appreciate the Commission’s withdrawal of these proposals as well as FinCEN’s announcement that it intends to extend the compliance date for and revisit the new anti-money laundering rule, and, together with the Commission, revisit the still-open customer identification program proposal.[9] Most investment advisers employ the same cross-functional teams to analyze, prepare for, and implement rule changes—until these recent announcements this has taxed the same individuals and resources to address multiple workstreams.[10] The clarity and certainty provided by the Commission and FinCEN will help advisers more realistically plan for and allocate resources to their compliance efforts. Additional time to implement the Amendments will also help alleviate the pressure firms have felt from their efforts to address the multiple rulemakings simultaneously.

 

B. Request for Clarification and Refinement

In addition to providing more time for advisers to implement these requirements, the Commission should work with the industry to refine and clarify the scope of some of the Amendments’ terms and requirements, either through guidance or by reopening the rule for further amendment.[11] The requested relief will provide advisers with greater flexibility to assess and respond to data breach incidents while still achieving the important investor protection goals of the Amendments. We make the following specific recommendations:

  • Refine the definitions of “customer information” and “sensitive customer information.” The definitions of “customer information” and “sensitive customer information” are overbroad, creating unnecessary complexity that is likely to lead to over notification and adding additional compliance burdens and expense. We recommend modifications or clarifications to these definitions, which would also make them more consistent with other federal and state requirements.
    • “Customer information” should be limited to personal information that is in “nonencrypted” form.
    • Instead of being open ended, “sensitive customer information” should specify that it covers information identifying an individual or the individual’s account, including the individual’s account number, name, or online user name, in combination with authenticating information such as a social security number, driver’s license number, alien registration number, government passport number, or employer or taxpayer identification number; a biometric record; or a unique electronic identification number, address, or routing code that would permit access to the customer’s account.[12]
  • Exclude certain affiliates from the “service provider” definition. The Commission should clarify that the definition of “service provider” does not include affiliates of an adviser when they share information security and oversight resources, through an enterprise model or otherwise.
  • Clarify the scope of the “service provider” definition. The Commission should clarify that the service provider definition does not include financial counterparties such as brokers, clearing and settlement firms, and custodial banks, which have their own notification obligations. We also ask that the Commission confirm that service providers that advisers did not engage and with which they have no privity of contract do not fall within the scope of the service provider definition.[13]
  • Clarify when the 72-hour and 30-day notification obligations are triggered. The Commission should confirm that the timeframe to provide notice contemplates sufficient time for a reasonable forensic investigation to take place, and a conclusion to be reached that misuse of customer information has occurred or is likely to occur. Accordingly, the IAA recommends that the staff clarify that for purposes of the notice obligations, a firm has not become “aware” that unauthorized access to or use of sensitive customer information has occurred until an investigation concludes that unauthorized access has occurred or is likely to occur.[14] Should the Commission decide to reopen the rule, we would recommend that it reconsider the 72-hour and 30-day timeframes.
  • Consider a workable solution for service providers. We are concerned that the Amendments are not sufficiently flexible as they relate to service providers. For example, they do not contemplate a risk-based approach but cover all service providers broadly. They also do not address the reality that service providers could decline to cooperate with advisers to provide the required notice notwithstanding an adviser’s diligent efforts.[15] We recommend that the Commission clarify that firms may take a risk-based approach to their evaluation of service providers and satisfy their related obligations using a principles-based approach to their oversight of service providers.
  • Confirm that advisers need not provide a notice unless they have a preexisting relationship with affected individuals or institutions. To reduce over-notification and confusion from having multiple entities provide notice of the same breach, the Commission should clarify that an adviser should only be required to provide notice to individuals with whom it has a pre-existing relationship or to the institution that provided the sensitive information at issue.
  • Broaden the law enforcement exception. We believe that the current notification exception for national security or public safety is far too narrow and should be expanded to include law enforcement and security authorities other than the Attorney General. In addition to explicitly confirming that covered authorities include the FBI – which we understand is routinely contacted following a significant data breach – the Commission should include other authorities that could also have legitimate concerns about security and public safety sufficient to warrant a notification delay. We also recommend broadening the basis for the exception to include risks to an active investigation or similar risks. Finally, we recommend that certain cybersecurity authorities, including CISA, ENISA, and NCSC be included in the exception.

* * *

We welcome the opportunity to engage with the Commission and its staff to discuss these issues in greater detail. Please do not hesitate to contact us if you have any questions or we can provide additional information.

Respectfully,

Gail C. Bernstein
General Counsel and Head of Public Policy

Tracy M. Soehle
Associate General Counsel

cc:
The Honorable Hester M. Peirce, Commissioner
The Honorable Caroline A. Crenshaw, Commissioner
The Honorable Mark T. Uyeda, Commissioner
Brian Daly, Director, Division of Investment Management
Vanessa Countryman, Secretary

 

[1] The IAA is the leading organization dedicated to advancing the interests of fiduciary investment advisers. For more than 85 years, the IAA has been advocating for advisers before Congress and U.S. and global regulators, promoting best practices and providing education and resources to empower advisers to effectively serve their clients, the capital markets, and the U.S. economy. Our members range from global asset managers to the medium- and small-sized firms that make up the majority of our industry. Together, the IAA’s member firms manage more than $35 trillion in assets for a wide variety of individual and institutional clients, including pension plans, trusts, mutual funds, private funds, endowments, foundations, and corporations. For more information, please visit www.investmentadviser.org.

[2] Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, 89 Fed. Reg. 47688 (June 3, 2024).

[3] The current compliance deadlines are December 3, 2025 for large entities and June 3, 2026 for smaller entities, as defined in the Amendments.

[4] See IAA Letter to SEC Chairman Atkins (May 1, 2025), IAA Letter to Acting Chairman Mark T. Uyeda (Jan. 29, 2025), and Joint Request for Extension of Compliance Dates for Amendments to Regulation S-P (Apr. 25, 2025).

[5] We have long supported a uniform preemptive data breach notification regime across regulators, to create consistency and reduce complexity. and we continue to urge the Commission to work with other regulators towards a uniform approach. See Letter from IAA President & CEO Karen Barr to SEC Chair Gary Gensler (May 17, 2021). The Gramm-Leach-Bliley Act (GLBA) preempts state laws only to the extent that compliance with a state law would be “inconsistent with” the requirements of the GLBA. A state law is not considered inconsistent if it provides a person with protection that is greater than the protection provided under the GLBA.

[6] We understand from members that their gap analysis faces additional challenges when they have employees as clients. We have also heard from a member firm that began its implementation efforts six months before the Amendments were adopted, anticipating finalization of and overlapping implementation periods for several new rules (discussed in the next bullet point) and reasoning that whatever the final Regulation S-P details were, the firm could do some advance groundwork. This work included external legal and consulting resources, at a total cost of approximately $500,000 so far, as well as about 500 hours of cross-functional internal resources (including operations, IT, compliance, finance, and risk management). We understand that this firm has not yet completed its implementation efforts, although it hopes to be ready by the applicable compliance date.

[7] The proposed amendments to Regulation S-P included a requirement that advisers enter into written agreements with their service providers, which the IAA opposed, noting that advisers often lack the leverage to require terms in written agreements. We appreciate that the Commission addressed our concerns by eliminating the written agreement requirement. We also appreciate that the Commission did not include an explicit requirement that advisers obtain reasonable assurances from their service providers. However, expecting advisers to ensure service provider notification within 72 hours requires that their service providers agree to do so, which raises the concerns about leverage we have discussed.

[8] Another complication of the service provider requirements that we have heard from members is that advisers may have longstanding relationships with service providers (e.g., 10 years or more) that would be difficult to unwind if the service provider declines to agree to the 72-hour requirement since the services are deeply integrated into various operations and systems (e.g., outsourced IT or a cloud service provider).

[9] See the withdrawal of the cybersecurity risk management, safeguarding, predictive data analytics, outsourcing, and ESG disclosure proposals, and FinCEN’s announcement on the AML Rule.

[10] Projects of this nature need to be cross-functional. For example, privacy considerations require just about every business unit to coordinate (sales, client service, HR, IT, Ops, Finance, Compliance, Legal, Risk, etc.), which adds to the complexity and time.

[11] To the extent the Commission determines that the best course of action is to reopen the rule for comment, the IAA supports the proposed rule text that was submitted in the Joint Request for Further Amendments to Regulation S-P (July 18, 2025).

[12] See, e.g., Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Mar. 29, 2005).

[13] Our members have expressed concern that they will be held responsible for breaches that other service providers to the advisers’ clients failed to report (e.g., the client’s custodian), creating additional risk and uncertainty.

[14] The 30-day notice provision, for example, ambiguously states that “[a] covered institution must provide the notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.” 248.30(a)(4)(iii).

[15] As with service providers with which advisers have no privity, advisers are similarly concerned about being held responsible for action or inaction they cannot control.

Tags: Cybersecurity, Data Security, Privacy

You are now leaving Investment Adviser Association

The IAA provides links to web sites of other organizations in order to provide visitors with certain information. A link does not constitute an endorsement of content, viewpoint, policies, products or services of that web site. Once you link to another web site not maintained by the IAA, you are subject to the terms and conditions of that web site, including but not limited to its privacy policy.

You will be redirected to

Click the link above to continue or CANCEL

Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.