As of December 3, 2025, larger entities — including SEC-registered investment advisers with $1.5 billion or more in AUM, investment companies with $1 billion or more in net assets, and all broker-dealers that are not small institutions — are required to comply with the SEC's amended Regulation S-P. Smaller entities have until June 3, 2026.
## What Firms Must Have in Place
The amended Regulation S-P requires covered entities to have the following fully implemented:
- A written Incident Response Program with policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information
- A 30-day notification obligation requiring firms to notify affected individuals within 30 days of determining that unauthorized access to customer information occurred or is reasonably likely to have occurred
- Service provider oversight policies requiring written agreements with all vendors that handle customer information, including a requirement that service providers notify the firm within 72 hours of discovering a breach
- Written information security safeguards covering administrative, technical, and physical controls designed to prevent unauthorized access to customer information
- Recordkeeping requirements including maintaining copies of policies, incident reports, notification records, and service provider agreements
## Service Provider 72-Hour Notification
One of the most operationally significant requirements is the 72-hour vendor notification window. Firms must ensure that all service provider agreements include a provision requiring the service provider to notify the firm within 72 hours of becoming aware of unauthorized access to customer information. This gives firms time to investigate and meet their own 30-day customer notification deadline.
## Smaller Entity Deadline: June 3, 2026
Smaller covered institutions — including smaller RIAs, smaller investment companies, and small broker-dealers — must comply by June 3, 2026. These firms should be actively building and testing their incident response programs, updating service provider agreements, and documenting information security safeguards now.
## FINRA Guidance
FINRA issued a cybersecurity advisory in November 2025 reminding member firms of the approaching compliance date and urging firms to assess their readiness. This signals that regulators will be examining Reg S-P compliance closely in 2026 examinations.
> December 3, 2025 was the compliance deadline for larger entities. Smaller entities must comply by June 3, 2026. Firms that have not yet implemented the required incident response program, vendor oversight policies, and breach notification procedures should treat this as an urgent priority.