Executive Summary
The Securities and Exchange Commission’s (SEC) 2024 amendments to Regulation S-P significantly reshaped advisers’ privacy and cybersecurity obligations, particularly in service-provider oversight and the timing of breach notifications for sub-advisers. Under the amended rule, a sub-adviser with access to client nonpublic personal information (“NPI”) is now treated as a service provider or vendor for privacy and breach notification purposes in most arrangements. However, an important exception applies when the sub-adviser contracts directly with clients and independently obtains their own NPI. Even then, advisers must proceed carefully, as shared data and operational realities often blur the lines regulators care about most.
Regulation S-P’s Focus Is Data Access, Not Titles
Regulation S-P, grounded in the Gramm-Leach-Bliley Act, governs the protection of consumers’ and customers’ NPI. It requires advisers to adopt written policies and procedures reasonably designed to safeguard customer information and respond appropriately to incidents of unauthorized access or use. The amended rule emphasizes incident response, notification timing, and oversight of third parties that access customer information on the adviser’s behalf.
Critically, the SEC’s analysis does not hinge on whether a firm is labeled a “vendor,” “partner,” or “co-fiduciary.” Instead, the regulatory focus is on whether the third party has access to customer information in connection with advisory services. Where that access exists, vendor-level oversight is expected.
Why Sub-Advisers Are Commonly Treated as Service Providers
In a traditional sub-advisory structure, the sub-adviser does not operate in isolation from the adviser’s client information ecosystem. To perform portfolio management or related advisory functions, sub-advisers routinely receive or access account-level data, portfolio holdings, performance information, or systems that contain client NPI. From a Regulation S-P perspective, this data access, not the firm’s professional advisory role, determines regulatory responsibility.
The SEC’s amended Regulation S-P reflects a functional approach to third-party oversight. When a sub-adviser can view, store, transmit, or process customer NPI in connection with services provided on the adviser’s behalf, regulators generally view that sub-adviser as operating within the adviser’s service-provider framework. The distinction between a “vendor” and a “sub-adviser” carries little weight where data access and cybersecurity risks are shared.
The 72-Hour Notification Expectation
The amended Regulation S-P now expressly requires investment advisers to maintain written policies and procedures reasonably designed to ensure that service providers notify the adviser as soon as practicable, but no later than 72 hours after becoming aware of any unauthorized access to or use of customer NPI. This represents a material shift from the pre-amendment framework, under which vendor notification timelines were largely driven by contractual best practices rather than explicit regulatory mandate.
This 72-hour service-provider notification requirement is foundational to the adviser’s ability to satisfy its own downstream obligations under Regulation S-P. Upon receiving notice, the adviser must investigate the incident, evaluate the scope of the unauthorized access, and determine whether misuse of customer NPI has occurred or is reasonably likely to have occurred. Where that determination is made, the adviser must provide notice to affected individuals as soon as practicable, but in no event later than 30 days, after such determination. Timely escalation by service providers is therefore essential to effective compliance.
As a result, SEC examination staff now expect advisers to demonstrate that the 72-hour notification requirement is clearly embedded in either the service-provider and sub-advisory agreements or a supplemental commitment of the sub-adviser, reflected in Regulation S-P policies and incident-response procedures, and operationally integrated into escalation workflows. Failure to require or enforce this notification standard is increasingly viewed not as a drafting oversight, but as a substantive weakness in an adviser’s Regulation S-P compliance program.
The Narrow Exception: Direct Client Contracting and Independent NPI
A limited exception may apply when a sub-adviser contracts directly with the client and independently collects and maintains its own NPI without receiving customer information from the primary adviser. In this structure, the sub-adviser is not accessing NPI on the adviser’s behalf but rather in connection with its own direct client relationship. As a result, the sub-adviser generally bears its own standalone Regulation S-P obligations with respect to that independently obtained NPI.
However, this exception is highly fact-specific and depends on the absence of meaningful data sharing or operational overlap. If the adviser provides client onboarding information, portfolio data, reporting inputs, or system access that exposes customer NPI to the sub-adviser, regulators are unlikely to view the sub-adviser as operating outside the adviser’s service-provider framework. Similarly, shared technology platforms, coordinated reporting functions, or integrated compliance processes can bring the sub-adviser back within the adviser’s Regulation S-P perimeter, regardless of the contractual structure.
Even when a sub-adviser independently obtains NPI and maintains a separate client contract, regulators still expect timely coordination and information-sharing if a cybersecurity incident could affect shared clients, disclosures, or regulatory obligations. In practice, advisers should carefully document any reliance on this exception and avoid assuming that direct contracting alone eliminates service-provider responsibilities. Examination staff consistently focus on actual data flows and incident response readiness rather than on formal labels when evaluating compliance with the amended Regulation S-P.
Practical Compliance Takeaways
Considering the amended Regulation S-P, advisers should begin their analysis by clearly understanding how client NPI flows through the organization and its third-party relationships. Contractual labels and organizational charts are far less important than operational reality. Where sub-advisers or other third parties have access to client NPI, whether through shared systems, reporting functions, or data feeds, advisers should treat those entities as service providers under Regulation S-P and apply the same safeguards, escalation protocols, and oversight expectations.
Advisers should also ensure that their service-provider and sub-advisory agreements or side-letter commitments expressly incorporate the amended Regulation S-P requirements, including the obligation to notify the adviser as soon as practicable, but no later than 72 hours after discovery of any unauthorized access to or use of customer NPI. Regulation S-P policies and incident-response procedures should align with these contractual obligations and clearly define escalation responsibilities to avoid gaps during an actual event.
Finally, when an adviser believes a sub-adviser falls within the narrow direct-contract exception, that conclusion should be carefully documented and periodically reassessed. Even so, advisers should evaluate whether shared data, overlapping systems, or coordinated client communications create residual notification or coordination obligations. In practice, regulators expect advisers to demonstrate preparedness and transparency rather than rely on formal distinctions that may not reflect how client information is actually handled.
Bottom Line
Sub-advisers are treated as service providers under Regulation S-P far more often than firms anticipate, especially when they have access to client NPI. A narrow exception may apply when a sub-adviser contracts directly with clients and independently maintains its own NPI, but that exception is highly fact-dependent and often undermined by shared data, systems, or reporting functions. The key takeaway for advisers under the amended Regulation S-P is that they must now affirmatively require service providers to provide breach notification within 72 hours of discovery, making contractual alignment and procedural clarity essential. Advisers that fail to map data access accurately or rely solely on formal relationship labels risk examination findings characterized as substantive Regulation S-P violations rather than technical deficiencies.