SEC · Regulation S-P
Regulation S-P Readiness: Safeguards and Breach Response
Regulation S-P is the SEC rule that governs how investment advisers and broker-dealers protect the nonpublic personal information of their customers. The recent amendments modernized the rule for a world of cloud vendors, remote work, and AI tools, adding a formal incident response requirement and a customer notification obligation when sensitive data is compromised.
For chief compliance officers and CISOs, the practical challenge is no longer writing a privacy policy. It is proving, on any given day, that safeguards actually work, that a breach would trigger the right response, and that customers would be notified within the required window. This page explains what the rule asks for and how to keep your program continuously evidenced rather than scrambling before an exam.
Or call us directly: (877) 945-7177
What the rule requires
At its core, Regulation S-P requires covered firms to adopt written policies and procedures reasonably designed to safeguard customer records and information. The amendments sharpen this into concrete program elements, moving the rule from a general standard toward specific, documentable obligations.
The amendments require a written incident response program and, when unauthorized access to sensitive customer information is reasonably likely to cause substantial harm, notification to affected individuals as soon as practicable and generally within 30 days. Covered firms include SEC-registered investment advisers, broker-dealers, investment companies, and transfer agents. Smaller firms were given additional time to comply, and that later compliance deadline has now passed, so the full requirements apply across firm sizes.
- A written safeguards program protecting customer records and information
- A written incident response program to detect, respond to, and recover from unauthorized access
- Customer notification, generally within 30 days, when sensitive data is likely to cause substantial harm
- Oversight of service providers that receive customer information
- Applies to RIAs, broker-dealers, investment companies, and transfer agents
Where firms fall short
The most common gap is a policy that exists on paper but is never tested. Firms describe an incident response process without ever running a tabletop exercise, so no one knows whether the 30-day notification clock could actually be met under pressure.
The other recurring weakness is the vendor and technology blind spot. Customer information increasingly flows through cloud platforms, marketing tools, and AI services that were never mapped to the safeguards program. When data lives in systems compliance cannot see, firms cannot demonstrate control of it.
- Incident response plans that are documented but never exercised
- No clear inventory of where sensitive customer information actually lives
- Service providers and AI tools handling customer data outside the safeguards program
- Notification workflows that have not been timed against the 30-day expectation
How Centience helps
Centience gives regulated firms continuous governance over the safeguards and incident response controls Regulation S-P expects. Instead of an annual policy review, it monitors your controls on an ongoing basis and keeps a timestamped evidence trail so you can show an examiner not just what your policy says, but that it was operating.
The free Governance Score maps your current safeguards, incident response readiness, and vendor oversight against what the rule expects in a few minutes, and shows you the specific gaps to close so your program stays exam-ready and continuously evidenced.
FAQ
Frequently Asked Questions
Who has to comply with Regulation S-P?+
The rule covers SEC-registered investment advisers, broker-dealers, investment companies, and transfer agents. The amendments apply across firm sizes; the later compliance deadline that gave smaller firms extra time has now passed.
What is the breach notification requirement?+
When unauthorized access to sensitive customer information is reasonably likely to result in substantial harm or inconvenience, covered firms must notify affected individuals as soon as practicable and generally no later than 30 days after becoming aware of the incident.
Do we need a separate incident response program?+
Yes. The amendments require a written incident response program as part of your safeguards policies, designed to detect, respond to, and recover from unauthorized access to or use of customer information. A policy that is never tested is a common exam finding.
How does the rule apply to AI tools and cloud vendors?+
Any service provider or AI tool that receives customer information falls within the scope of your safeguards and oversight obligations. Firms should map where customer data flows and confirm those providers are covered by their program and contractual protections.
See where your firm stands — in minutes.
The free Governance Score gives you a 0–100 readiness score, a peer benchmark, and your priority gaps mapped to the rules that matter.
Get Your Free Governance ScoreOr call (877) 945-7177
