Published on Nov 4th, 2025 |

Reg S-P Alert for Large Firms

Vigilant Insights

Introduction

Regulation S-P (“Reg S-P”) is an SEC Privacy Rule that requires Financial Firms to protect their Clients’ Personal Information. It governs how Customer Data is collected, shared, safeguarded, and disposed of, and now includes new Rules for Data-Breach Response and Customer Notification.

This Rule applies to Registered Investment Advisers (“RIAs”), Registered Investment Companies (“RICs”), Broker Dealers, Transfer Agents, and Funding Portals. Essentially, any Firm that handles Nonpublic Personal Information about individual clients.

Key Deadlines

Key Deadlines

  • Large entities must comply by December 3, 2025.
    • Large entities include:
      • RIAs with greater than $1.5 Billion in AUM.
      • RICs with greater than $1 Billion in net assets (together with related entities).
      • Broker Dealers and Transfer Agents that are not considered “small entities” under the SEC’s Regulatory Flexibility Act definitions.
  • Small entities (below the thresholds above) have until June 3, 2026. (The amendments took effect August 2, 2024.)

What's New and Important

What’s New and Important

  • Customer Notification: Notify affected individuals within 30 days if sensitive data is accessed or used without authorization (unless no harm is likely).
  • Service Provider Oversight: Vendors must alert Firms within 72 hours of discovering a breach.
  • Expanded “Customer Information” Definition: Covers any record (paper or digital) with personal data.
  • Recordkeeping – Maintain written policies and proof of compliance for five years (first two readily accessible).
  • Written Incident-Response Program – Detect, respond to, and recover from unauthorized access or use of customer information.

Vigilant's Conclusion

How Vigilant Compliance Can Help

Vigilant Compliance partners with existing and new Clients to meet Reg S-P’s new standards by:

  • Conducting gap assessments against the amended rule.
  • Updating Safeguards, Disposal, and Incident-Response policies.
  • Reviewing vendor contracts for breach-notification terms.
  • Providing training and documentation support for SEC examinations.

With Vigilant Compliance, your firm can be confident, exam-ready, and compliant ahead of the upcoming compliance deadline.

Contact Us