The SEC’s 2024 amendments to Regulation S-P mark a major shift in how RIAs must protect client data and respond to cybersecurity threats. For smaller firms, these changes can feel daunting, especially with limited resources and staff. The good news? AdvicePay is already built to help you meet these new requirements, so you can focus on serving clients with confidence.

Below, we break down what’s changing, when you need to be compliant, and how AdvicePay’s platform and business practices keep your firm ahead of the curve.

What's Changed?

The SEC’s Reg S-P amendments modernize privacy and safeguarding rules to address today’s cybersecurity risks. Key updates include:

• Expanded vendor oversight to ensure third-party partners meet security standards
• Written incident response programs for data breaches and unauthorized access
• Stricter customer notification requirements when incidents occur

When Do You Need to Be Compliant?

The SEC has set a staggered timeline for Reg S-P compliance, giving smaller firms a bit more runway to prepare. Large entities—defined as RIAs with more than $1.5 billion in assets under management—must comply by December 3, 2025. Firms with less than $1.5B in assets under management have until June 3, 2026. 

While that may seem like plenty of time, the complexity of the new requirements means it’s smart to start now, so your firm can be fully prepared and avoid any last-minute scrambles.

How AdvicePay Supports Reg S-P Compliance

1. Service Provider Oversight
   
   Regulators expect you to vet and monitor your technology partners. AdvicePay makes this process even more straightforward with our new Trust Center, which gives firms self-service access to our security policies and compliance documentation.
   
   The Trust Center contains information about our annual SOC 2 Type II audits and third-party penetration testing. AdvicePay also maintains PCI DSS compliance through our payment processor, Stripe. Plus, our vendor approval process ensures all of our third-party partners meet strict security standards.
   
   
2. Incident Response Program
   
   

   Reg S-P now requires firms to have a written incident response program and to require the same of their suppliers. 

   Our written Incident Management Policy and Incident Management Process allow us to detect, respond to, and recover from incidents, including those that involve unauthorized access to customer information. The Incident Management Policy is available for download in the AdvicePay Trust Center.

3. Customer Notifications
   
   

   If a data incident occurs, Reg S-P requires timely notification to customers. Our privacy policy and terms of use clearly outline how we handle and safeguard personal information. 

   In the event we become aware of a breach, we’re committed to notifying customers within 72 hours (unless otherwise specified in your contract). Our team is trained to respond quickly and provide clear communication, so you’ll always know what’s going on and if you need to communicate with your clients to stay in line with regulatory expectations.

4. Disposal Rule

   Rest assured that AdvicePay never processes or keeps paper records containing sensitive customer information. Any electronic media containing sensitive customer information is securely erased or destroyed, as required.

Built for RIAs, Ready for What’s Next

Because our sole focus is serving financial advisors, we continuously update our platform and practices to keep you compliant as SEC and state regulations evolve. With AdvicePay, you don’t have to worry – we’re already one step ahead, so you can be too.

To download AdvicePay’s incident management plan, security policies, and an attestation of our adherence to Reg S-P requirements, visit our Trust Center.