A conversation with Kamal Jafarnia, Chief Legal Officer at Vise
Data protection is now a core regulatory priority. The SEC’s recent updates to Regulation S-P represent one of the most consequential developments to advisor privacy and cybersecurity rules in more than 20 years.
We spoke with Kamal Jafarnia, Vise’s Chief Legal Officer, to explain what changed, what advisors are responsible for, and how Vise supports compliance.
Regulation S-P is the SEC’s main rule governing privacy and protection of client data. It sets expectations for how investment advisors handle, safeguard, and properly dispose of non-public personal information, such as client financial and identifying data.
Because Vise acts as a subadvisor to SEC-registered investment advisors, we have a dual role under the rule:
Regulation S-P has existed since 2000, but the SEC’s amendments add three major, practical requirements:
In short: advisors are now explicitly responsible for overseeing their vendors’ data-security practices.
The SEC set different deadlines based on firm size:
There are two layers to this.
Vise’s own obligations: Vise complies directly with Regulation S-P. We maintain a formal incident-response plan, and if an incident affected end clients, Vise would handle the required client notifications. Advisors would not need to send duplicate notices, though we would coordinate closely.
Supporting advisors’ obligations: Advisors must now maintain policies that:
Our policies and agreements are designed to support those requirements.
We took a proactive approach, including:
Detailed regulatory analysis: We reviewed the amended rule, the SEC’s adopting release, industry commentary, and legal guidance.
Updates to our compliance framework: We formally incorporated the new privacy, security, and incident-response requirements.
A dedicated Incident Response Plan: While not every firm has one, we believe a standalone plan improves clarity, speed, and accountability during an incident.
The goal was simple: meet our obligations and make compliance easier for advisors who work with us.
Two practical steps matter most:
Update your compliance policies: Your written policies should reflect the amended rule, including how you rely on service providers and expect timely breach notifications.
Strengthen vendor oversight: Regulators now expect advisors to verify—not assume—that vendors have appropriate safeguards and notification procedures in place.
Cybersecurity is no longer just a technical issue or a compliance checkbox. It’s fundamental to client trust.
Advisors hold deeply sensitive information about their clients’ financial lives. Regulators are raising expectations accordingly—and firms across the ecosystem need to meet them.
At Vise, we view Regulation S-P not just as a rule, but as part of our broader commitment to protecting client data and operating a secure, trustworthy platform.
Vise AI Advisors, LLC (“Vise”) is an SEC-registered investment adviser. The material presented is for informational purposes only and should not be construed as investment advice. It is not a recommendation of, or an offer to sell or solicitation of an offer to buy, any particular security, strategy, or investment product. Nothing on this website should be construed as personalized investment advice, which can only be provided in one-on-one communications.
Investing in securities involves risks, including the potential loss of money, and past performance does not guarantee future results. Historical returns, expected returns, and probability projections are provided for informational and illustrative purposes and may not reflect actual future performance.
Product images shown are for informational and illustrative purposes only and may not reflect how they will appear within the product. Third-party trademarks and service marks referenced are the property of their respective owners.
