Smaller registered investment advisers preparing for the Securities and Exchange Commission’s amended Regulation S-P are discovering that the hardest work is not rewriting policies, but tracing where investor data lives — and persuading vendors to take notification obligations seriously. Kaitlin Betancourt, a partner at Goodwin, warns firms not to treat Reg S-P as a paper exercise. “At a high level, this shouldn’t be viewed as just a compliance exercise. It requires advisers to implement a full incident response program, which goes well beyond updating policies. To operationalize the rule, firms need to take a holistic look at their cybersecurity posture,” she says. She stresses the clock starts quickly once vendors report incidents since service providers must notify the covered institution within 72 hours of identifying a breach.
Betancourt says one major challenge larger firms face with Reg S-P compliance involves service provider incidents. She notes that “it’s easy to get a 72-hour notification commitment,” but it’s harder ensuring cooperation afterward. “Smaller firms should think carefully about which vendors hold the most sensitive data and develop relationships that allow them to quickly obtain details if something goes wrong — otherwise, they could be facing a 30-day deadline with very little information and be forced to notify investors without clarity,” Betancourt cautions. “They may want to include language requiring reasonable cooperation in their vendor assurances and conduct their own diligence to understand where data sits across systems.”
Read the Private Funds CFO article for more.