The SEC continues to remind the financial industry through enforcement actions[i] and otherwise[ii] that registered investment advisers (“RIAs”), broker dealers (“BDs”) and other covered financial institutions have existing obligations to safeguard investors’ nonpublic personal information.

Under Regulation S-P[iii], those obligations are significantly enhanced for large institutions, which includes RIAs with over $1.5 billion of assets under management, as of December 3, 2025.The compliance deadline for smaller institutions is June 3, 2026.

The principal elements of the SEC amendments include:

• Incident Response Program. The final Safeguards Rule requires covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The amendments require that a response program includes procedures to assess the nature and scope of any incident and to take appropriate steps to contain and control the incident to prevent further unauthorized access or use.

• Notification Requirement. The response program procedures in the amendments include a requirement that covered institutions provide a notification to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Notice will not be required if a covered institution determines, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. Under the amendments, a customer notice must be clear and conspicuous and provided by means designed to ensure that each affected individual receives it. With limited exceptions (e.g. national security), notice must be provided as soon as reasonably practicable, but not later than 30 days, after the covered institution becomes aware that unauthorized access to or use of customer information has, or is reasonably likely to have, occurred.

• Service Providers. The amendments to the Safeguards Rule include new provisions that address the use of service providers by covered institutions. Covered institutions are required to establish, maintain, and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring of service providers, including to ensure that affected individuals receive any required notices. The amendments make clear that while covered institutions may use service providers to provide any required notice, covered institutions will retain the obligation to ensure that affected individuals are notified in accordance with the notice requirements. Service providers will have up to 72 hours to notify a covered institution after becoming aware of a breach.

• Books and Records. The Books and Records Rule[iv] has been amended to require RIAs to maintain specific written policies and procedures with respect to the Safeguards Rule, including the incident response plan and oversight of service providers and the Disposal Rule.

Orical LLC has extensive resources to assist covered entities with Regulation S-P implementation. We anticipate that Regulation S-P compliance will be the subject of routine SEC examinations commencing in December of this year.

[i] See, Parker Terrill Austin and Embarcadero Capital Advisors, Inc., Litigation Release No. 26395 (Sept. 11, 2025).

[ii] See SEC Fiscal Year Examination Priorities p. 12.

[iii] See Regulation S-P. The Safeguards Rule is Section 248.30(a); the Disposal Rule is Section 248.30(b).

[iv] See Advisers Act Rule 204-2 clauses 25(i)-(vi).Records are also required with respect to (i) unauthorized access to or use of customer information; (ii) investigations of incidents and determinations made; and (iii) any contracts entered into with service providers.