Skip to main content
All research

Regulation S-P: customer-information systems, providers and incident readiness

The amended rule calls for a current view of customer information, the providers that handle it, and the response the firm can execute when unauthorized access occurs.

By Latif Horst4 min readPrincipals, operations leaders, compliance leaders, and technology leads
Regulation S-P operating view of customer-information systems, providers, incident response, and records.

Begin with customer information, not a product category

For SEC-registered investment advisers and other covered institutions, the amended Regulation S-P creates operating requirements around customer information. Each covered institution needs a current understanding of the systems that hold that information, the people and providers that can reach it, and the response it can execute when unauthorized access or use occurs.

The U.S. Securities and Exchange Commission's small-entity guide describes requirements concerning a written incident-response program, customer notice, service-provider oversight, secure disposal, and records. It also identifies June 3, 2026 as the compliance date for smaller entities. The applicable obligations and legal interpretations belong with qualified compliance and legal advisers. The systems and procedures still have to work in practice.

Build a customer-information systems view

A useful inventory is more than a list of applications. For each material system, record the business purpose, customer-information categories, system owner, provider, user groups, privileged access, integrations, external transfers, retention position, and the evidence available during an investigation.

The view will commonly include email and document services, client relationship management, portfolio and reporting systems, file exchange, archiving, backup, security monitoring, support tools, and provider access. The exact list follows the firm's environment.

Connections matter as much as repositories. Customer information may leave a system of record through an export, an email attachment, a support session, an integration, or a local working file. Mapping those paths exposes gaps that a vendor inventory alone will miss.

Treat providers as part of the operating environment

Provider oversight cannot end when initial due diligence is filed. The SEC guide describes written policies and procedures reasonably designed to require oversight of service providers, including measures to protect customer information and notification to the covered institution as soon as possible, but no later than 72 hours after the provider becomes aware of a breach resulting in unauthorized access to a customer-information system maintained by the provider.

The firm therefore needs current contacts, escalation routes, relevant service commitments, dependencies, and a clear understanding of what the provider will supply during an investigation. Test whether a notice can reach someone with authority outside normal business hours.

Subproviders and services supplied within other products deserve attention when they materially affect the customer-information path. The operating owner should know where responsibility changes hands rather than relying on a single vendor name.

Make the incident plan executable

A written plan should translate into actions people can take under pressure. Define who receives the first alert, who assesses scope, who contains access, who preserves evidence, who coordinates with providers, and who makes legal, regulatory, insurance, and customer-communication decisions.

Exercise the handoffs with a plausible event. Can the firm identify affected systems and information? Can it obtain logs? Can it disable access without destroying evidence? Can the provider reach the right person? Can the team distinguish a security event from an event that triggers customer notice under the rule?

An exercise should produce corrections to contacts, permissions, logging, provider procedures, and recovery steps. A plan that has not been walked through is still an assumption.

Keep records that support the program

The same operating view can organize the firm's evidence: system inventories, access reviews, provider assessments, approval decisions, incident-response procedures, exercise results, security events, assessments, notices, disposal controls, exceptions, and remediation.

Retention requirements should be set with the firm's qualified advisers and implemented in the systems that hold the records. An evidence index is often useful: it identifies the owner and location of each record without duplicating sensitive material into another repository.

Add new services to the same view

An AI-enabled meeting assistant, summarization service, or support tool is one additional service on the map if it receives customer information. Record its purpose, provider, information access, identities, transfers, retained evidence, and failure path just as the firm would for another material service.

Placing the service in the same inventory preserves one view of customer information across architecture, operations, provider oversight, and incident response. New capabilities can be assessed without creating a separate governance system for every product category.

Get future Joans research notes by email.