June 5, 2024

Align Insights: Industry Leaders Discuss Enhancements to Regulation S-P

by: Align

The alternative investment industry is always innovating to help broker-dealers, transfer agents, investment companies, and Registered Investment Advisors keep up with important regulatory changes. The US Securities and Exchange Commissions (SEC) recently announced enhancements to Regulation S-P, another layer of ongoing regulatory changes impacting how financial institutions handle customer data. To navigate the complexities, Align has gathered a group of esteemed industry experts to react to these enhancements to Regulation S-P.

Together we will explore its impact on our industry from various viewpoints – the challenges and opportunities it presents and even explore Regulation S-P’s potential long-term implications.

We invite you to read Align Insights Article: Industry Leaders Discuss Final Rules – Enhancements to Regulation S-P.

Industry Insights into the New SEC Regulations

Alex Bazay, Chief Information Security Officer, Align Managed Services

Circle Headshots - 2024-05-31T134849.393The recent approvals for amendments to Regulation S-P (also known as "safeguards rules"), which primarily governs the privacy and safeguarding of customer information by financial institutions, are not just a necessary response by the Securities and Exchange Commission to the ever-evolving cybersecurity landscape but also a timely one. The amendments emphasize more stringent requirements for incident response and data breach notifications, mandating that covered entities not only implement comprehensive written policies and procedures for safeguarding customer records but also promptly inform affected individuals and regulatory authorities in the event of significant breaches.

This shift highlights the authorities’ growing recognition of the critical importance of timely communication and transparency in maintaining trust and mitigating the impact of potential data breaches. By holding companies to higher standards of accountability and preparedness, these amendments aim to enhance the overall resilience of the financial sector against cyber threats.

From the practical point, the adopted amendments will require broker-dealers, investment advisers, and investment companies to:

  • Create a standalone Incident Response Plan that explicitly addresses scenarios related to unauthorized access to the client's information.
  • Demonstrate that such a plan is maintained and tested periodically (e.g., running periodic tabletop exercises).
  • Adopt a breach notification protocol in case of customer data compromise (to be done within 30 days after the company becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have happened).
  • Adopt a Data Lifecycle Policy that will include guidelines for the disposal of customer information.

Furthermore, the new requirements are not just another set of rules to follow but a supportive measure that aligns well with the broader trend of different regulatory bodies to focus on proactive risk management and governance. The emphasis on regular assessments and updates to security measures ensures that financial institutions are continuously adapting to the latest threats and vulnerabilities. This proactive stance is crucial in an environment where cyber threats constantly evolve and become more sophisticated.

These amendments represent a significant step forward in fortifying the cybersecurity posture of financial institutions. They underscore the importance of robust incident response strategies and highlight the necessity for ongoing vigilance and adaptability in the face of emerging cyber risks.

Wendy Beer, Independent Director, Azimuth Governance

Circle Headshots - 2024-05-31T141350.827Cyber-criminals are seizing upon the US Securities and Exchange Commission (SEC)’s zealous focus on cybersecurity, finding inventive ways to weaponize them. Recent SEC rules require public companies to disclose “within four business days after they determine that a cybersecurity incident is material and to report ransomware payments within 24 hours”, were used by an active ransomware group to double down on their victim. Hoping for a whistleblower reward, the criminals notified the SEC of the company’s failure to file the required form 8 – K, within the mandated timeframe.


While a similar rule was proposed for private fund advisers, a final rule has not yet been adopted. Perhaps tired of industry pushback against “new rules” , the SEC recently issued amendments to Regulation S-P (“Reg S-P”), broadening its scope for covered entities (which includes alternative investment advisers, whether or not registered with the SEC).The amended rules require notification to individuals whose “sensitive” customer information was accessed without authorization, “unless” it is not “reasonably likely” to be used in a manner resulting in “substantial harm or inconvenience”. The amended rules also extend to service provider data security breaches involving sensitive client information, expanding a manager’s oversight responsibilities.


Beyond written policies and procedures, vulnerability assessments, etc. this expanded scope of Reg S-P pushes governance to the forefront. Managers should proactively be engaging in conversations with independent directors, counsel, and service providers having relevant expertise, as well as top tier insurance carriers offering transcripted cyber-coverage. With such subjective criteria, managers’ ability to make timely decisions around required investor and regulatory disclosures becomes paramount. Decisions made prior to completion of forensic examinations will be reviewed by regulators, with the benefit of hindsight.

Gary Berger, Partner and Financial Services Industry Leader, Northeast, CohnReznick

Circle Headshots (35)

Fund managers understand the need to protect consumers' nonpublic personal information, however, they express concerns about the increased costs and operational burdens associated with the enhancements to Regulation S-P.  I can’t think of one client who doesn’t support a commitment to strong data security and investor privacy.  With increasingly frequent and complex attacks targeting financial services firms, and per Regulation S-P, fund managers must develop written policies and procedures to protect investor information and create a comprehensive plan to manage data breaches.  We are encouraging our clients to discuss the implementation of Regulation S-P with our Cybersecurity, Technology Risk, and Privacy team or their relevant service providers.

Jacob Cane, Managing Director, Head of Cybersecurity Risk Services, Salus GRC

Circle Headshots - 2024-05-31T145344.131The new Regulation S-P amendments raise the stakes for RIAs through more stringent disclosure requirements in the event of a cybersecurity breach. Firms will have stronger than ever incentives to implement strong cybersecurity controls to prevent breaches and a clear mandate to implement comprehensive incident response plans. An independent cyber risk assessment remains the best way for most firms to get started in understanding their readiness and to prioritize risk mitigation efforts.

The SEC’s inclusion of service provider due diligence requirements in the amendments is another sign of their continued interest in service provider due diligence and an indication that we should expect strong requirements around service provider management in the finalized versions of the proposed cybersecurity rule and the proposed outsourcing rule. Service provider due diligence expectations are not only here to stay, but they are only going to get more stringent.

On the technical side, we anticipate increased adoption of data discovery, file permissions and access auditing tools. Restricting sensitive data access to necessary employees limits potential exposure and robust audit logs are critical in preventing over disclosure in an environment where the SEC squarely puts the burden of proof on the Adviser

Todd Cipperman, Managing Principal, Cipperman Analytics 

Circle Headshots - 2024-05-31T152124.533The SEC finally adopted enhancements to the rules governing how investment advisers, broker-dealers, and investment companies must protect customer financial information.  

The headline news is that RIAs, BDs, and mutual funds must immediately (i.e. within 30 days) notify affected customers if a breach occurs.  Notice must be provided in a manner reasonably expected to be received (e.g. email or snail mail if required).   The Rule details the content requirements including information about the breach, who to contact, and what to do.  This new federal notification requirement supplements already-existing state-by-state notification requirements.

This new federal notification requirement sounds good, but what does it really accomplish?   RIAs, BDs and funds have been sending breach notices to customers for years, as required by many state laws.   Consumers already have alert fatigue.  Most firms already want to avoid data breaches for many reasons including asset protection, data integrity, reputation, and the state notice requirements.  Will this new notice requirement wake up some subset of firms who have weak data protection and will now be scared into better behavior because of a federal notification requirement?   Maybe.

I don’t think this revised Regulation S-P will fundamentally change how diligently firms will act to protect personal financial information.  I don’t think it will change the behavior of customers receiving the notices.  However, it does add work for the compliance officers charged with implementing the new rule.  It also gives the SEC another rule to use during exams and enforcement cases.  

Ed Fasano, Co-Founder, EAC LLC

Circle Headshots (38)The enhancements to Regulation S-P highlights the SEC’s emphasis on the critical importance of ensuring that financial institutions are taking the necessary precautions to safeguard customer information and maintain privacy. One of the guiding principles that we leverage at our firm is to work with all clients to ensure that they choose the right partners early on to allow for them to follow the Regulations without disrupting workflow, while protecting customer information and privacy. As a partner, we allow our clients to focus on including their Administrator, outsourced COO/CFO, outsourced IT, outsourced compliance, along with others. Clients should work together with all their selected partners to ensure that all processes and procedures in place work towards the goal of maintaining those rules put forth by Regulation S-P. EAC envisions the regulatory landscape will continue to expand to encompass all vendors in the financial services industry, including all outsourced providers. EAC continues to be on top of all updated rules and regulations to ensure we put forth all current best practices and requirements in front of our clients.

James Mignacca, CEO, Cavelo
Circle Headshots (41)

For the most part, broker-dealers, investment companies and RIAs are aware that knowing where their data is, who has access to it and that they have the ability to report on it post-breach is a basic and fundamental component of SEC compliance. What's different with these amendments are implications to firms who may not have best practices in place to support those functions. When it comes to preventing and responding to breach events, knowing where data resides and who has access to it is essential, but limiting access on a continuous basis is critical best practice. Doing so allows firms to quickly understand threats and liabilities based on who potentially had access to vulnerable data and where it is (or was) within network systems or software.

Factors that affect data (like software and configuration vulnerabilities) will become a focal point moving forward as those factors greatly impact organizational risk. For firms, having the ability to discover an organization's assets and the data they contain on an ongoing basis will support regulatory readiness, especially as new and potential resource-intensive amendments continue to roll out.

Casey Jennings, Counsel, Seward & Kissel

Circle Headshots - 2024-06-05T110758.968The Regulation S-P amendments will require broker-dealers, investment advisers, investment companies, and transfer agents to devote considerable time and expense to revising their written policies and procedures to deal with potential data breaches.

This won’t be a one-time effort either. Every vendor relationship will need careful scrutiny and every vendor contract involving the processing of data will require detailed legal review. Moreover, every data incident will require legal and compliance review.

In our experience, the S-P amendments merely codify best practices. S&K has seen a dramatic increase in the number of cyber incidents in financial services over the past 12 months, particularly in the investment management industry. While the implementation costs may seem somewhat onerous, complying with the S-P amendments may reduce the chances of a catastrophic data incident. Moreover, vendors often push back against financial institutions inserting data protection contractual provisions; the new rules will give financial institutions firmer grounding to push for important protections in vendor agreements. Finally, the new rules may eliminate the need for painstaking 50-state reviews of data breach notification laws in the event of a breach, thus potentially reducing the costs associated with responding to a data incident.

Vinod Paul, President, Align Managed Services

Vinod Paul_Circle_2024As the Securities and Exchange Commission adopts amendments to Regulation S-P, it serves as a reminder that broker-dealers, investment companies, and registered investment advisors must prioritize effectively managing their technology footprint and service providers to ensure robust controls are in place to manage this process. Client stakeholders often emphasize finding a quick-fix or band-aid solution, but the focus now goes beyond merely "checking a box."

As fund managers navigate and adopt these new amendments, they must prioritize more than just written policies, procedures, and vulnerability assessments. The expanded scope of Reg S-P underscores the importance of selecting the right service providers from the outset and establishing robust governance.

Given the current cybersecurity threat landscape alongside new regulatory demands and operational due diligence, we encourage stakeholders to stay prepared and embrace a proactive approach. Effective planning is as crucial, if not more so, than any robust response.

Practically speaking, focus on the following:

  • Choose strong service providers who can demonstrate their capabilities.
  • Implement effective technology and cybersecurity policies from the beginning; do not grow into them.
  • If current service providers are unsatisfactory, promptly switch to one that can meet the requirements.
  • Develop a standalone Incident Response Plan that explicitly addresses scenarios related to unauthorized access to stakeholders' information.
  • Ensure that this plan is maintained and tested periodically, such as through scheduled tabletop exercises.
  • Establish a breach notification protocol to be enacted within 30 days of discovering or suspecting unauthorized access to or use of customer information.
  • Adopt a Data Lifecycle Policy that includes guidelines for identifying PII, managing data access permissions, and disposing of customer information.

Mark Sangster, Chief of Strategy, Adlumin
Circle Headshots (36)

The SEC's adoption of Regulation S-P, a set of privacy rules governing the management of nonpublic personal information, illuminates more than data governance. These rules highlight the need for integrated data management and incident response.

Incident response planning is not just about reacting to incidents, but about adopting a proactive 'when not if' philosophy. The rules, while not providing detailed incident response procedures, do set the ambitious goal of policies and procedures to detect, respond to, and recover from unauthorized access to or use of customer information. These rules also highlight the importance of identifying nonpublic (protected) information, determining if this data is improperly exposed, and swiftly reducing the risk associated with this exposure.

It reminds us that planning is equally (if not more) important than any vigorous response. Covered institutions should plan for incident response and test these capabilities through tabletops and mock scenarios. Moreover, these exercises allow fund managers and technical leaders to communicate under simulated stress, developing inter-team trust and communication and reminding managers that cybersecurity is not an IT problem to solve; rather, it’s a business risk to manage.

Chris Zadrima, Chief Operating Officer, Align
Circle Headshots - 2024-05-02T105119.021

The long-awaited update to Regulation S-P by the Securities and Exchange Commission has been officially adopted. This update includes enhancements to the rules that govern how investment advisers, broker-dealers, and investment companies must safeguard customer financial information.

Every client we have encountered emphasizes the importance of robust data security and investor privacy. Given the rise in sophisticated cyberattacks against financial institutions and the requirements of Regulation S-P, fund managers must formulate detailed protocols to safeguard investor data and devise a holistic strategy for handling data breaches. Foundational technology controls coupled with strong governance have become an essential requirement for this industry.  Firms must prioritize how their service providers can implement controls with the new requirements around Regulation S-P with Cybersecurity, Technology Risk, and Privacy team or their appropriate service providers.


About the Contributors: 

Circle Headshots - 2024-05-31T134849.393Alex Bazay - Chief Information Security Officer, Align Managed Services

Alex Bazay brings over 20+ years of experience in the information technology industry and expertise in cybersecurity, IT, compliance, business continuity, and disaster recovery to his role as Chief Information Security Officer. Alex brings tremendous technological leadership and security expertise to the company. Before joining Align, Alex was Chief Technology Officer and Chief Information Security Officer at Gruss Capital Management, a boutique global financial company. He was responsible for all day-to-day operations and strategic planning relating to information technology, business continuity, and cybersecurity. Before that, Alex held various consulting positions during which he advised clients in cybersecurity defense, operational strategies/executions, and overall IT strategies/executions. Alex currently serves as a Board Member of the ISACA NY Metro Chapter, Governing Body Member of the Evanta NYC Executive CIO Community, and a Member of the Vation Ventures New York Innovation Advisory Council. He also sits on numerous other advisory boards and holds several industry certifications, including the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Chief Information Security Officer (C|CISO), Certified Data Privacy Solutions Engineer (CDPSE).

Click Here to Learn More

Circle Headshots - 2024-05-31T141350.827Wendy Beer, Independent Director, Azimuth Governance

Wendy serves as an independent director with Azimuth. Prior to joining Azimuth, Wendy was Managing Director and head of Wells Fargo Prime Services’ Business Consulting Group, responsible for the development and management of the platform’s business consulting services. Prior to joining Wells Fargo Securities, Wendy was a consultant at Tiger Bay Advisors where she provided supplemental, interim, and on-going subject matter solutions to help hedge funds manage and operate key business functions. Before her work at Tiger Bay, Wendy held a number of key industry roles including a director in Credit Suisse’s Global Credit Products where she specialized in business development and sales and marketing of tailored leveraged facilities to alternative asset managers. Prior to Credit Suisse, Wendy worked in Salomon Smith Barney’s legal department. She also was a senior attorney in the SEC’s Enforcement Division, and has held legal roles in Furman Selz and Lehman Brothers. Wendy holds a B.A. in Communications from Northwestern University, a J.D. from Brooklyn Law School and a Masters of Law degree from the London School of Economics. Wendy holds 7, 53, and 63 licenses and was admitted to the bars of New York and New Jersey.

Click Here to Learn More

Circle Headshots - 2024-06-05T110758.968Casey Jennings, Counsel, Seward & Kissel

Casey is a member of Seward & Kissel’s Financial Services Regulatory Group and Blockchain and Cryptocurrency Group in the Firm’s Washington, DC, office. As a financial attorney, Casey advises a wide range of financial services companies (including banks, broker-dealers, investment funds, service providers, and financial technology companies) on federal and state banking and securities law issues. Casey regularly provides legal aid to clients with respect to financial matters such as deposit issues, lending services, state and federal licensing and registration, anti-money laundering, custody, transfer, payments, and liquidity issues, and the Bank Holding Company Act.

Click here to Learn More.

Circle Headshots - 2024-05-31T145344.131Jacob Cane - Managing Director, Head of Cybersecurity Risk Services, Salus GRC

Jacob has over 25 years of experience providing cybersecurity and IT services. Jacob was the co-founder and CEO of 
Proactive Technologies, an outsourced IT and cybersecurity provider to investment managers. Proactive was acquired by Abacus Group, where Jacob was a member of the leadership team. Jacob was most recently the Global Head of Customer Success & Strategy at Drawbridge Partners, a cybersecurity firm serving the investment industry. Jacob has a BA from Columbia University and maintains a Certified Information Systems Security Professional (CISSP) certification.

Click Here to Learn More.

Todd Cipperman, Managing Principal, Cipperman Analytics

Circle Headshots - 2024-05-31T152124.533

Todd Cipperman is the Managing Principal of Cipperman & Company and Cipperman Analytics, through which he provides regulatory advice and management consulting services to growth-minded investment managers and fund managers on strategic objectives, distribution strategies, financing options, board and corporate governance, and regulatory structures.  He is an  experienced financial services executive who founded, grew, and sold an industry-leading compliance services firm to a large, private equity backed consulting/technology firm.  He has served as General Counsel of a public investment firm and worked in private legal practice on Wall Street representing both buy and sell side clients in investment management and capital markets transactions.  He is a graduate of the University of Pennsylvania Law School and Cornell University.  He is the author of the book The Compliance Advantage: Ten Must-Know Trends to Protect Your Investment Firm, which is available in hard copy and in digital format on Amazon.  

Click Here to Learn More

Ed Fasano - compressedEd Fasano, Co-Founder, EAC LLC

Ed Fasano has 25 years of experience as an investment adviser COO, CFO, CCO, Treasurer, and Head of Investor Relations. His role at EAC includes heading up the firms Pre-Launch and Treasury consulting services as well as leading EAC's global sales and marketing efforts. Prior to founding EAC, Mr. Fasano launched the advisory offering at Titan Regulation. Before Titan, Mr. Fasano launched SAYA Management LP, serving as COO, CFO and CCO; responsible for all finance and accounting matters in addition to compliance, investor relations and personnel matters. Before starting SAYA, Mr. Fasano was with Seawolf Capital, where he was responsible for the Firm's launch and later served as the Firm's COO, CFO and CCO. Prior to Seawolf, Mr. Fasano lead Treasury and Operations functions at FrontPoint Partners; and spearheaded portfolio finance for DKR Capital. Earlier in his career, Mr. Fasano held operational and finance roles at Tiger Management and Paloma Partners. Moreover, he had a key role in establishing and operating the stock loan finance broker-dealer at Citadel Investment Group and managing its relationships with stock loan counterparties.

Click Here to Learn More


Circle Headshots (41)

James Mignacca, CEO, Cavelo 

As CEO of Cavelo, James helps businesses proactively reduce cybersecurity data risk and achieve compliance with automated data discovery, classification and reporting. Cavelo's cloud compatible data risk management platform continuously scans, identifies and classifies sensitive data across machines, servers and cloud applications, simplifying compliance reporting and risk remediation.

Click Here to Learn More

 Mark SangsterMark Sangster, Vice President, Chief of Strategy, Adlumin

Mark Sangster, author of No Safe Harbor: The Inside Truth about Cybercrime and How to Protect Your Business, is a go-to subject matter expert for leading publications and media outlets, including The Wall Street Journal and Forbes, covering major data breach events. His experience unites a strong technical aptitude and an intuitive understanding of regulatory agencies, shifts risk trends and influences thought leaders.

Click Here to Learn More


Vinod Paul_Circle_2024Vinod Paul, Chief Operating Officer, Align

With over 20 years of extensive experience in financial services and technology, Vinod Paul serves in the role of President, Align Managed Services. As President, Vinod is responsible for spearheading the strategic development of Align's Managed Services offerings, including overseeing Align Cybersecurity™, a comprehensive solution for cybersecurity risk management. Additionally, Vinod plays a pivotal role in nurturing senior client relationships within the alternative asset management community, offering ongoing guidance on industry best practices and emerging trends in Managed Services. Renowned as an influential figure in the financial services sector, Vinod previously held leadership positions at ECI, a prominent global provider of Managed IT Services. During his 13-year tenure as Managing Director, he led customer-facing engagements, focusing on service delivery and business development on a global scale. Under his guidance, ECI solidified its position as a premier Managed Service provider in the financial services realm, expanding its operations into Europe and Asia. Vinod has demonstrated his expertise through numerous placements in industry-relevant publications such as Forbes, Channel Futures, Hedgeweek, and Private Equity Wire. As an active speaker in the fields of managed services leadership, cybersecurity, financial services, and technology, Vinod has been recognized and celebrated for his contributions. 

Click Here to Learn More


 Circle Headshots (35)Gary Berger - Partner and Financial Services Industry Leader, Northeast, CohnReznick

Gary Berger is an audit partner at CohnReznick LLP and serves as the Northeast Financial Services Industry Leader. Based in the Firm’s New York office, he is extensively involved in the Firm’s Financial Services practice and has more than 30 years of experience serving domestic and offshore hedge funds, private equity funds, venture capital funds, and fund of funds. Gary provides advice on fund start up issues including organizational structure, economic and tax issues, seeding arrangements, and general business consultation. He serves as a relationship manager on numerous clients and is responsible for coordinating, managing and performing audit services of funds. Gary is a frequent speaker at financial services conferences and seminars. He has presented on numerous industry topics including, how to launch a hedge fund, valuation and fair value of investment portfolios, organizational and tax issues associated with investment partnerships, opportunity zones, and accounting and technical issues for investment partnerships.  Prior to joining CohnReznick, Gary headed up the hedge fund practices nationally for KPMG and Rothstein Kass.

Click Here to Learn More



Circle Headshots - 2024-05-02T105119.021Chris Zadrima, Chief Operating Officer, Align

With over 17 years of expertise in designing and spearheading prosperous Managed Service practices, Chris Zadrima stands as a distinguished leader in constructing customer management teams and excelling as a subject matter expert in harnessing cloud-based solutions to address business and operational needs. Currently at Align, Chris assumes a comprehensive role overseeing the entirety of Align's Global Managed Services practice, which encompasses Client Support, Cloud Architecture and Strategy, Project Management, the Network Operations Center, and the IT Service Desk. In recognition of his outstanding contributions to steering growth and strategic direction within his current role, Chris has been honored by CRN, a division of The Channel Company, as one of the 2023 Next-Gen Solution Provider Leaders. This prestigious accolade underscores individuals who not only significantly impact their companies' trajectories but also exhibit the potential to emerge as future leaders in channel innovation. The accolade specifically acknowledges solution provider professionals aged 40 or younger who have played pivotal roles in shaping their company's strategic direction and fostering channel growth over the past year. Before joining Align, Chris played a key role in the leadership team at Infoaxis, a technology solution provider. During his nine-year tenure, he successfully developed a Managed Service offering that supported over 6000 endpoints. Chris's academic foundation includes a degree from Fordham University, where he graduated with a Bachelor of Science in Accounting with a concentration in Management Information Systems. His educational background, combined with his extensive industry experience, reflects his multifaceted proficiency in both business and technology domains.

Click Here to Learn More




Continue Reading

Related Articles


“Align is our trusted provider for all our Managed Services and cybersecurity needs. They provide us best-in-class IT services that not only help drive productivity and growth, but ensure we meet both current and evolving compliance and security requirements with ease. As consultants to financial advisors, trust and reliability are indispensable to our operations, which is why we never hesitate to refer Align to our very own client base. Align isn’t just our partner, they are an extension of our team. We look forward to entrusting them with our IT infrastructure for years to come.”

Ed Fasano - Experienced Advisory Consultants LLC