For registered investment advisers
If an examiner asked today, could you produce the written incident-response program Regulation S-P now requires, and the process to notify clients of a breach? I build both, protect the client financial data your business runs on, and start with a gap assessment, not a contract. This is a plan, not a compliance guarantee.
You hold the full financial picture of every client: account numbers, balances, Social Security numbers, custodian logins. The whole business rests on those people trusting you with it, and the SEC has now put the protection of it in writing.
In 2024 the SEC amended Regulation S-P (17 CFR 248.30). The amendments require registered investment advisers to maintain a written incident-response program and to notify affected individuals of a breach (SEC, Regulation S-P final rule, Federal Register, June 3, 2024, federalregister.gov). If your firm is SEC-registered, it applies to you directly.
Financial firms are actively targeted because the data converts straight to money, and small advisory practices are squarely in scope. The exposure for a small firm is concrete: the cost of the breach itself, the client conversation about whether their money is safe with you, and an examiner who asks for a program you cannot produce. Building it ahead of time is small next to any one of those.
The same work also protects your insurance posture. The controls a cyber-insurance carrier asks about before it will quote or pay are the controls Reg S-P expects, so building the program keeps you able to qualify, bind, and keep a claim from being denied.
Reg S-P names the parts. Written policies and procedures that cover each of these are what an examiner expects to see (SEC, Regulation S-P amendments, sec.gov).
Assess
Written steps to determine the nature and scope of unauthorized access to client information, so you know what happened instead of guessing during the worst week of the year.
Contain
Procedures to contain and control the incident and limit the damage, so a single compromised mailbox or laptop does not become every client account.
Notify
A process to notify affected individuals, generally within 30 days of determining their information was, or likely was, accessed. The clock starts on determination, not on cleanup.
Oversee
Oversight of the service providers that touch client data, your CRM, portfolio tools, and custodian access included, so a breach at a vendor is still your documented responsibility, handled.
Record
The program and every response documented, so when the examiner asks, you hand over a real record instead of describing what you would have done.
If you determine that a client’s nonpublic personal information was, or was likely, accessed without authorization, you generally must notify that person within 30 days (SEC, Regulation S-P amendments). The clock starts when you make the determination, not when the cleanup is finished.
That is why the program is written before anything happens. In the middle of an incident you do not want to be deciding how to assess scope, who to call, or what the notice says. You want to follow steps you wrote on a calm day. A documented program turns a 30-day deadline from a scramble into a checklist.
Both come from the same law, the Gramm-Leach-Bliley Act, and both protect client financial data. Which one binds you depends on who regulates your firm. The underlying security work overlaps heavily.
| What it covers | FTC Safeguards Rule | SEC Regulation S-P |
|---|---|---|
| Who enforces it | Federal Trade Commission | Securities and Exchange Commission |
| Who it binds | Non-bank financial firms: CPA and tax practices, insurance, finance companies | SEC-registered investment advisers and broker-dealers |
| Written security plan | Written information security program (WISP) with a named qualified individual | Written policies and procedures, including the incident-response program |
| Breach notification | Safeguards Rule centers on the program; notification duties vary | Notify affected individuals, generally within 30 days of determination |
| Shared root | Both implement the Gramm-Leach-Bliley Act; the protective controls are substantially the same | |
State-registered Texas advisers, generally those under $100 million in assets under management who register with the Texas State Securities Board, are not bound by Reg S-P directly, but still have safeguarding duties under GLBA and state rules. The protective work is the same.
The starting point is a fixed-scope gap assessment of your firm against Regulation S-P, or the equivalent state safeguarding duties, including your incident-response program and notification process. You get a written report ranked by risk, and a plan you keep whether or not you hire me.
The person who assesses your firm is the person who does the work and answers the phone, so the incident-response program is not something a generalist vendor “will get to.” And you own your Microsoft tenant, your credentials, and your backups, always, with a documented runbook and a named escalation path so you are never locked in, including to me.
This is a gap assessment plus an ongoing program. It is not a certification, and no honest provider guarantees compliance.
Written by Hammad Arain, founder of Arain Systems. CCNA, CompTIA Security+, Microsoft AZ-104. Updated June 2026. Educational, not legal advice.
I check how a fraudulent instruction would move through your office today and where the gaps are, then give you written findings. No commitment, yours to keep.
Get my free review