On June 3, 2026, the compliance date arrived for "smaller entities" under the SEC's amended Regulation S-P. If your firm is an SEC-registered investment adviser with less than $1.5 billion in assets under management, that means you. Larger entities — RIAs with $1.5 billion or more in assets under management, fund groups with $1 billion or more in net assets, and most broker-dealers — have been required to comply since December 3, 2025. As of last week, the transition period is over for everyone.
This deadline applies to the overwhelming majority of advisory firms. In the adopting release, the SEC estimated that as of September 2023 only about 23% of registered investment advisers would qualify as larger entities. Everyone else — roughly three out of four SEC-registered advisers — falls under the June 3, 2026 date that just passed.
What the Amendments Require
The Commission adopted the amendments to Regulation S-P in May 2024 (Release No. 34-100155), updating a rule originally adopted in 2000. The amendments apply to broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents — collectively, "covered institutions." Four requirements form the core of the new framework.
1. A Written Incident Response Program
Covered institutions must develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The program must include procedures to assess the nature and scope of any incident and to take appropriate steps to contain and control it to prevent further unauthorized access or use.
Note what this is not: it is not a general cybersecurity policy or a paragraph in your compliance manual saying the firm takes data security seriously. The rule requires a written program with specific operational components — detection, response, recovery, assessment, and containment. If your incident response program is a single page that has never been tested against a tabletop scenario, firms should evaluate whether it would hold up as "reasonably designed" in an examination.
2. Customer Notification Within 30 Days
The incident response program must include procedures to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Notice must go out as soon as practicable, but not later than 30 days, after the firm becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.
Two details deserve attention. First, the trigger is awareness that unauthorized access "is reasonably likely to have occurred" — not confirmation that it did. Waiting for forensic certainty is not an option the rule provides. Second, there is a limited exception: notification is not required if the firm determines, after a reasonable investigation of the facts and circumstances of the incident, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. Firms relying on that exception should consider documenting the determination carefully, because examiners will ask how it was reached.
The notice itself must include details about the incident, the data that was breached, and how affected individuals can respond to protect themselves.
3. Service Provider Oversight
The amendments require the incident response program to include written policies and procedures reasonably designed to provide oversight — including through due diligence and monitoring — of service providers. The policies must be reasonably designed to ensure that service providers take appropriate measures to protect customer information and to notify the covered institution as soon as possible, but no later than 72 hours, after becoming aware of a breach resulting in unauthorized access to a customer information system the provider maintains. Once that notification arrives, the firm must initiate its own incident response program.
For small firms, this is often the heaviest lift. Most small RIAs run on a stack of third-party systems — custodians, portfolio management software, CRMs, email providers, document storage. Firms should evaluate whether their vendor agreements actually obligate providers to deliver breach notice within the 72-hour window, and whether anyone at the firm is monitoring vendor security practices on an ongoing basis.
4. Broader Scope, Plus Recordkeeping
The amendments also expand the safeguards and disposal rules to cover not just nonpublic personal information the firm collects about its own customers, but also nonpublic personal information it receives from another financial institution about that institution's customers. And covered institutions (other than funding portals) must make and maintain written records documenting compliance with the safeguards rule and the disposal rule. The work has to be documented, not just done.
The SEC Has Already Said It Will Examine This
This is not a rule that will sit dormant. The Division of Examinations' fiscal year 2026 priorities state that examinations will focus on firms' policies and procedures, internal controls, oversight of third-party vendors, and governance practices with respect to Regulations S-ID and S-P — and that after the applicable compliance dates, the Division will examine whether firms have developed, implemented, and maintained policies and procedures in accordance with the rule's new provisions. For smaller firms, "after the applicable compliance date" is now.
What to Check This Month
If the June 3 date arrived faster than your implementation did, consider working through this list now rather than waiting for an exam letter:
- Confirm a written incident response program exists and covers detection, response, recovery, incident assessment, and containment — not just prevention
- Verify your customer notification procedures specify who decides, who drafts, and who sends notice within the 30-day clock, and what the notice must contain
- Inventory every service provider that touches customer information and check whether contracts or due diligence files address the 72-hour breach notification expectation
- Extend your safeguards and disposal policies to nonpublic personal information received from other financial institutions, not just your own clients' data
- Stand up the recordkeeping: documented risk assessments, vendor reviews, incident logs, and program testing
- Run a tabletop exercise. A program that has never been rehearsed tends to fail at the worst possible moment, and the exercise itself is useful documentation
A skipped deadline is not a strategy. Firms that are behind should consider prioritizing the written program and notification procedures first — those are the provisions an examiner can check in an afternoon.
Compliance Approved includes cybersecurity safeguards tooling built for the amended Reg S-P: gap assessment against the rule's requirements, incident tracking with automated 30-day customer notification countdowns and 72-hour vendor breach windows, and compliance documentation you can produce in an exam. If your program needs to get from paper to practice quickly, we can help.