Name: Webinar Replay: Regulation S-P – What You Need to Know!
Start: 2026-02-25T00:00:00

Question 1

With respect to the 72-hour vendor notification requirement, if a vendor won’t agree [sic] to a contract amendment or certification, what should the firm do?

Accepted Answer

Firms should document the request and the denial and keep that in the compliance files to provide to the SEC in the event of an examination to demonstrate the attempt to comply. The firm should also consider documenting any discussions around the potential option of selecting a new service provider upon contract renewal. Firms should also ensure that the current contract includes at least a notification provision, whether that is “promptly” or some other definition, even if the service provider will not commit to the 72-hour deadline

Question 2

If you work in a coworking space and utilize their online printing system/internet/shredding company, etc., would the building then turn into a vendor in the case of the 72-hour notification?

Accepted Answer

Yes, in Kroll’s opinion the SEC would expect that the landlord was deemed a critical vendor and if there were any breaches which compromised the information of a registered firm, the landlord should be obligated to provide notification. Ideally, the notification would be certified or contracted to comply with the 72-hour requirement, but if not, please see the response to the first question.

Question 3

The three-day notification requirement starts when the adviser is made aware of the breach, not when the breach occurs, correct?

Accepted Answer

That is correct. The adviser has 72 hours from the time a breach is identified.

Question 4

Under amended Reg S-P, are the rules applicable to institutional accounts (legal entity customers) or only individuals (humans) with PII [personally identifiable information]?

Accepted Answer

Regulation S-P is applicable to “consumers.” “Consumer” is defined in the regulation as “an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.”

Question 5

Would you consider a vendor that removes and destroys hard copy documents one that manages sensitive information and would therefore be part of Reg S-P concerns?

Accepted Answer

Yes, in Kroll’s opinion, a document destruction service provider would likely have access to sensitive information and would therefore be a captured service provider for purposes of the regulation. In addition, Regulation S-P requires firms to address the secure disposal of any sensitive data and would also cover any destruction service providers.

Question 6

Please provide clarification on the 72-hour and 30-day notice periods.

Accepted Answer

Regulation S-P requires advisers to provide notice to customers whose information has been compromised “as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred.” Service providers entrusted with sensitive data by the adviser must notify the adviser within 72 hours of identifying unauthorized access to the adviser’s sensitive data.

Question 7

How specifically does the Incident Response Plan [IRP] need to address customer notifications? Is it enough to assign internal responsibility for making the determination “based on applicable laws and regulations”? That way we satisfy requirements from other laws (GDPR, NYDFS [New York State Department of Financial Services], etc.).

Accepted Answer

It is up to individual firms as to how detailed they wish to get in the written Incident Response Plan. However, the determination of whether notification should be made is only one step in the process. If the designated individual determines that notification must be made, does the individual have a next set of steps to follow? In Kroll’s opinion, discretion in determining how much detail to include in the IRP lies with the firm, but once that determination is made, there should be a defined set of procedures and identified individuals responsible for ensuring that the process is carried through in accordance with the regulations.

Question 8

From the language of the regulation, it does not appear that it applies to investors in a private fund, just clients of the adviser. Is that correct?

Accepted Answer

Technically, that is correct. Investors in a private fund are not consumers or customers of the adviser under the regulation. However, advisers should not view investors in private funds managed by the adviser to be “exempt.” Firstly, private funds meet the definition of “financial institution” under the Federal Trade Commission (FTC) regulations implementing the Gramm-Leach-Bliley Act. So even if the adviser isn’t technically obligated to private fund investors under Regulation S-P, the general partner/manager is obligated to investors in the private fund under the FTC regulations.

Secondly, there is a provision in the current amendments that applies the Regulation S-P requirements to data that may be in the possession of advisers, even if it is not sensitive data of its consumers. Therefore, advisers do likely have an obligation under the regulation to investors where they are in possession of sensitive data as a result of their relationship to the general partner or fund manager despite investors not technically meeting the definition of “consumer” or “customer.”

Webinar Replay: Regulation S-P – What You Need to Know!

Key Takeaways

Key Sections From the Webinar

FAQs

Speakers

Stay Ahead with Kroll