Regulation S-P: What RIAs Must Have in Place by June 3, 2026

The SEC adopted amendments to Regulation S-P in May 2024. Smaller RIAs and broker-dealers have until June 3, 2026 to comply. That deadline is close enough that compliance teams need to have programs in place, not in planning. This is not a paperwork requirement that can be satisfied with a policy update — it requires meaningful operational changes.

What the Original Regulation S-P Required

Regulation S-P, originally adopted in 2000, required broker-dealers and registered investment advisers to adopt written policies and procedures protecting customer records and information. The Safeguards Rule required administrative, technical, and physical safeguards protecting customer financial information from unauthorized access. The Disposal Rule required proper disposal of consumer financial information. The 2024 amendments did not eliminate these requirements — they added significant new requirements on top of them.

What the 2024 Amendments Require

The amended regulation requires covered institutions to maintain written policies and procedures that include a formal incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.

Detection procedures: Technical controls — intrusion detection, access monitoring, anomaly detection — and organizational processes for receiving and evaluating reports of potential incidents. "We would notice if something went wrong" is not a detection procedure.

Response procedures: Documented procedures for responding when an incident is detected — assessing scope and severity, containing unauthorized access, preserving evidence, and initiating notification procedures. Specific enough that staff know what to do without figuring it out in real time.

Recovery procedures: Procedures for restoring systems and data, addressing vulnerabilities that enabled the incident, and assessing whether additional protective measures are needed.

Customer notification: The most significant new operational requirement. Firms must notify affected individuals "as soon as reasonably practicable, but not later than 30 days" after discovering that their sensitive customer information was accessed or likely accessed without authorization. The 30-day clock is strict.

What Examiners Will Look For

Based on prior Regulation S-P examination approaches, examiners will look for: a written incident response program document (not just general references to cybersecurity in the WSPs), defined specific procedures (who gets notified when an incident is suspected? what constitutes a reportable incident?), evidence of testing (tabletop exercises, penetration testing results), vendor contract provisions addressing the service provider's obligations in the event of a breach, and a log of incidents detected and responses taken.

What Firms Need to Build Before June 3, 2026

For firms that have not yet started: draft a written incident response program document, define operational procedures for each phase, assign ownership for each phase of the response, build the customer notification operational capability (the ability to identify affected individuals and contact them within 30 days), review vendor contracts for incident response provisions, conduct a tabletop exercise to test the program before the compliance date, and update the firm's WSPs to reflect the new requirements. Starting this in April or May 2026 to meet the June deadline leaves almost no margin for error.