The SEC Strengthens Data Protection Rules

What Registered Investment Advisors need to know about the revised cybersecurity requirements 

New compliance standards for customer data protection issued by the Securities and Exchange Commission (SEC) are now coming into full effect. The SEC is requiring Registered Investment Advisors (RIAs) to implement a written incident response program and promptly notify individuals of any data breaches. They also expanded compliance requirements, broadened the scope of protected data, mandated documentation, and aligned privacy notice rules with the Gramm-Leach-Bliley Act (GLBA).  

The effective date of these changes is based on the size of the RIA’s Assets Under Management (AUM): 

• RIAs with AUM above $1.5 billion are currently required to meet these revised standards with a compliance start date of December 3, 2025. 
• RIAs with AUM below $1.5 billion will need to comply by June 3, 2026. 

Background on the SEC’s data protection regulations

Registered broker-dealers, investment companies, and investment advisers are required to establish written policies and procedures that provide administrative, technical, and physical protections for customers’ nonpublic personal information (NPI). This includes information like account numbers, tax identification numbers, investment records, and other sensitive data that could be used to identify or harm a client if accessed without authorization.  

In 2024, the SEC revised these standards to account for the increasingly sophisticated methods being used to breach data. By enforcing these new requirements, the SEC aims to strengthen how data is managed and how data breaches are responded to and reported.  

Enhanced data security standards RIAs must follow

The SEC amendments clarify and expand how client information must be protected. Previously, different rules, like the GLBA, applied to different types of data, creating inconsistency. They have now introduced a unified definition of “customer information,” covering any record containing nonpublic personal information, and applying it across both safeguarding and disposal requirements.  

The SEC now requires covered institutions to:  

• Implement a written incident response program designed to detect, respond to, and recover from unauthorized access to customer information.  
• Establish procedures to notify individuals if their sensitive data has been or is reasonably likely to have been compromised. 
• Send notifications as soon as practicable, and no later than 30 days after the organization becomes aware of a data breach incident. These notices should clearly explain what happened, what information was affected, and the steps individuals can take to protect themselves. 

These rules not only apply to an organization’s own customer data, but also to the data received by third parties.  

Keiter’s Financial Services Industry team provides proactive guidance to help financial service firms interpret new requirements and implement effective compliance strategies as regulations evolve. If you have any questions, please reach out to your Keiter Opportunity Advisor or Email | Call: 804.747.0000.