June 3, 2026 marks the deadline for Regulation S-P compliance for small registered investment advisers. S-P amendments – first adopted in 2024 – will go into effect for RIAs managing under $1.5 billion in assets and introduce specific requirements that include: a written incident response program, a 30-day customer notification requirement, expanded vendor oversight obligations, and new recordkeeping expectations – none of which were part of the original rule. This article breaks down what changed, what it means operationally, and what your firm should be doing now to ensure compliance.
Who Needs to Comply with Regulation S-P?
The amended Regulation S-P applies to SEC-registered investment advisers, broker-dealers, and certain other covered entities. State-registered advisers are not subject to SEC oversight under this rule, though many state regulators look to federal frameworks as a benchmark when evaluating their own expectations. If your firm is state-registered, the amended rule does not bind you directly – but it likely signals where your state examiner’s expectations are heading.
For investment advisers, the SEC drew a line between larger and smaller entities based on assets under management and other threshold criteria. Larger firms should already be compliant as of December 2025, while advisers below the $1.5B AUM threshold have until June 3, 2026 to meet the new expectations.
What Regulation S-P Already Required
The original Regulation S-P, adopted in 2000, established several baseline obligations that covered entities have been living with for more than two decades. These include:
- Privacy notices advising customers of information sharing practices, along with opt-out rights in certain circumstances;
- Written safeguards policies and procedures designed to protect customer records and information from unauthorized access or use; and
- Disposal requirements governing the proper destruction of covered information.
The 2024 amendments build on this foundation – but the additions are not minor tweaks. They represent a meaningful expansion of what a compliant program looks like for a registered investment adviser.
The Biggest Changes Small RIAs Need to Understand
Written Incident Response Program
The amended S-P rule requires covered entities to establish and maintain a comprehensive, written incident response program. That program must address detection, response, and recovery procedures for unauthorized access to or use of customer information. Critically, the SEC expects these programs to be operational and testable – not merely documented policies sitting in a shared drive. If your firm has never run a tabletop exercise or tested your escalation workflows, that gap is now material.
Customer Notification Obligations
When a qualifying incident occurs, affected individuals must be notified as soon as practicable – but no later than 30 days after the firm becomes aware of it. Limited exceptions apply where the firm can document and defend a reasonable conclusion that the incident will not result in substantial harm or inconvenience to affected customers. That determination must be recorded. In practice, this means small RIAs need to define internally when the 30-day clock starts, who makes that call, and how the notification is executed.
Service Provider Oversight
One of the clearest signals in the amended rule is that regulatory responsibility does not live with the vendor but with the RIA itself. Covered entities must implement written policies and procedures reasonably designed to oversee service providers that access, maintain, or process customer information. That includes contractual requirements obligating third parties to report security incidents within 72 hours of discovering a breach. For many small RIAs, this will require a fresh look at custodian agreements, technology contracts, and other vendor arrangements – many of which may not currently include language aligned to these standards.
Expanded Scope of Covered Information
The amendments broaden the categories of information subject to safeguards and disposal obligations. If your firm has not recently mapped what customer data it holds – and where – now is the time. This includes accounting for information that flows through custodians, portfolio management systems, CRM platforms, email, and document management tools.
Recordkeeping and Annual Privacy Notice Changes
New recordkeeping expectations require firms to document their compliance activities, incident handling, and related policies and procedures. The amendments also include conforming changes to the annual privacy notice exception – worth reviewing with counsel to confirm whether your current notice cadence still meets the standard.
A Practical S-P Compliance Checklist for Small RIAs
While specific legal requirements should be reviewed with your regulatory advisor or counsel, we recommend taking the following operational steps prior to June 3, 2026:
- Review and update written information security and privacy policies to reflect the amended rule’s requirements
- Create or refine a written incident response plan that specifically addresses Regulation S-P detection, response, and recovery obligations
- Map where customer information resides across internal systems, custodians, administrators, technology platforms, and third-party vendors
- Review vendor contracts, diligence files, and escalation procedures to ensure service providers are contractually obligated to report incidents within 72 hours
- Test breach escalation and customer notification workflows – including who triggers the 30-day notification clock and how that decision gets documented
- Train personnel involved in incident identification, investigation, legal review, and customer communications
- Confirm records retention processes cover policies, incident logs, customer notices, and service provider oversight documentation
Common Pitfalls to Avoid
Several failure patterns show up repeatedly when firms go through Regulation S-P gap assessments. Avoiding them now is far less costly than correcting them under examination pressure.
Treating this as purely a cybersecurity issue. Regulation S-P touches privacy governance, vendor management, customer communications, and recordkeeping obligations. That means this is not simply an IT responsibility, but a requirement that involves your entire operational team.
Using generic templates without customizing them. Off-the-shelf incident response plans are a starting point, not a finished product. Examiners will expect policies that reflect your actual systems, vendors, and escalation paths – not boilerplate language that doesn’t map to how your firm actually operates.
Failing to define the internal escalation trigger. The 30-day notification clock starts when the firm becomes “aware” of a qualifying incident. If your firm hasn’t defined what that means internally – which employee, which threshold, which system generates the signal – the clock can run before anyone realizes it has started.
Overlooking the books-and-records angle. Documentation requirements under the amended rule have direct implications for recordkeeping obligations. Incident handling records, vendor oversight files, and customer notification documentation all need to be retained in a manner consistent with applicable SEC rules.
The Bottom Line: June 3 Is an Operational Deadline for Small RIAs
June 3, 2026 is approaching fast and will require small RIAs to coordinate action across compliance, legal, technology, and operations. Firms that have not yet conducted a gap assessment against the amended rule should treat that as the logical first step – followed by a tabletop exercise to validate that incident response procedures actually work under realistic conditions.
If your policies, vendor arrangements, or incident response capabilities haven’t been reviewed in light of the Regulation S-P amendments, the window to close those gaps before the deadline is narrowing. The firms best positioned heading into June will be those that started that work early – not those scrambling to update templates in the final weeks before the rule takes effect.
HOW OMEGA SYSTEMS CAN HELP WITH RIA REGULATORY COMPLIANCE
Omega Systems has deep experience advising RIAs on IT controls, cybersecurity best practices and compliant incident response procedures. Additionally, our managed GRC solution helps benchmark IT and security controls against regulatory frameworks and best practice standards to ensure continuous alignment. If you’d like help reviewing your current policies, vendor contracts, and incident response procedures against the Regulation S-P amendments, or would like to discuss a comprehensive GRC engagement, contact our team today.
