/>i
In May 2024, the U.S. Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P, requiring registered investment advisers (RIAs) to adopt written incident response program policies and procedures. While the amendments do not indicate the specifics, each RIA’s incident response program will be required to have written policies and procedures to
- assess the nature and scope of an incident,
- contain and control the incident, and
- notify each affected individual.
RIAs with more than $1.5 billion or more in assets under management must adopt an incident response plan by December 3, 2025, while those with less than $1.5 billion in assets under management will have until June 3, 2026.
Assessment
The incident response program must include procedures for: (1) assessing the nature and scope of any incident involving unauthorized access to or use of customer information and (2) identifying the customer information systems and types of customer information that may have been accessed or used without authorization. The assessment requirement is intended to identify affected customer information systems and data, determine any unauthorized access or use, and establish the specific customers impacted.
Containment and Control
An incident response program must include procedures to contain and control security incidents and prevent further unauthorized access or use of customer information. Incident response strategies vary by incident type and may involve isolating compromised systems, identifying additional breaches, resetting credentials and keys, or disabling default accounts.
Notification
RIAs must notify each individual whose sensitive information was, or was reasonably likely was accessed or used without authorization, unless a reasonable investigation finds sensitive information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.
Service Providers
Each incident response program must include policies and procedures designed to oversee service providers. As part of their incident response programs, RIAs may enter into written agreements allowing service providers to notify affected individuals on behalf of RIAs. However, RIAs remain responsible to ensure that affected individuals are notified.
