GLBA protects the nonpublic personal information that financial institutions hold. An investment advisor's daily work sits squarely inside that definition. You collect client PII and financial account data, hold access to custodial and portfolio-management platforms, and exchange sensitive information with custodians and other providers. What varies is not whether GLBA applies, but which agency enforces it against your firm.
Your registration decides your regulator.
SEC-registered investment advisors and broker-dealers are subject to the SEC's Regulation S-P, the SEC's rule implementing GLBA. It requires written policies to safeguard customer records and information and to deliver privacy notices.
State-registered advisors, generally those below the SEC registration threshold, and advisors not required to register with the SEC fall under the FTC's jurisdiction. For them the FTC Safeguards Rule (16 CFR Part 314) applies. We confirm which regime governs your firm during onboarding and build one program to satisfy it rather than assuming a single rule covers every advisor.
Advisory firms hold high-value financial data.
Every client relationship carries Social Security numbers, bank account and routing numbers, holdings, and custodian and portfolio-management credentials. That is precisely the nonpublic personal information GLBA is written to protect.
Business email compromise and fraudulent wire and disbursement requests target this data directly. The controls both regimes require, MFA, verification procedures, and encryption, are the same controls that defend against the most common attacks on client accounts.
Vendor oversight is part of compliance.
Advisory firms rely on custodians, CRMs, portfolio-management platforms, and reporting tools that handle client information. Both Reg S-P and the Safeguards Rule expect you to oversee the service providers that touch that data.
We inventory those vendors, document the security expectations, and fold vendor oversight into your written program so the requirement is met and evidenced rather than assumed.
The 2024 Reg S-P amendments raised the bar for SEC-covered firms.
In 2024 the SEC adopted amendments to Regulation S-P that add an incident response program requirement and a customer breach-notification duty. When sensitive customer information is, or is reasonably likely to have been, accessed or used without authorization, covered firms must notify affected individuals, generally within about 30 days, with compliance dates phased in.
We build the incident response program, define what a notification event means for your custodial and CRM systems, and prepare the notification workflow so a real event is handled inside the window. For FTC-covered firms we build the equivalent Safeguards Rule incident response and notification process, so the obligation is covered whichever regime applies.