Updated February 12, 2026 | Reflects finalized SEC Regulation S-P amendments and current examination expectations for RIAs and broker-dealers.
The SEC’s amendments to Regulation S-P expand incident response, breach notification, and third-party oversight obligations for registered investment advisers (RIAs). These updates formalize cybersecurity governance expectations and elevate operational readiness as a core compliance requirement.
Originally adopted in 2000, Regulation S-P established the “Safeguards Rule” and “Disposal Rule,” requiring RIAs, broker-dealers, and investment companies to implement written policies to protect customer information. The finalized amendments now introduce more structured incident response and disclosure mandates.
Key requirements include:
- A formal, documented incident response program
- Customer notification within 30 days of qualifying cybersecurity incidents
- Written third-party oversight and due diligence procedures
- Enhanced recordkeeping tied to compliance activities
Incident Response Planning for RIAs
Covered entities must establish and maintain a comprehensive incident response program capable of detecting, responding to, and recovering from security incidents involving customer information.
Policies must address incident identification, severity assessment, containment procedures, and prevention of unauthorized access. Programs are expected to be operational and testable — not merely documented.
Cybersecurity Incident Disclosure
When sensitive customer information is accessed or used without authorization, covered entities must notify affected individuals within 30 days of determining that a breach has occurred.
Notification may be withheld only if the firm reasonably concludes the incident will not result in substantial harm or inconvenience. Such determinations must be documented and defensible during examination.
Third-Party Due Diligence & Oversight
RIAs and investment companies must implement written policies governing vendor monitoring and service provider accountability. This includes contractual requirements obligating third parties to report security incidents within 72 hours of discovering a breach affecting customer information.
The amendments reinforce that cybersecurity accountability cannot be outsourced — regulatory responsibility remains with the covered entity.
Next Steps for SEC Compliance Readiness
The amended Regulation S-P requirements are now in effect, with phased compliance timelines based on firm size. Larger RIAs (over $1.5B AUM) were granted 18 months to comply, while smaller entities were granted 24 months. With implementation windows closing or already closed for many firms, SEC examinations are expected to focus on operational execution, documentation, and testing of incident response programs.
Firms should ensure their incident response plans, vendor oversight frameworks, and recordkeeping practices are fully implemented, regularly tested, and aligned with regulatory expectations — not simply drafted for policy completeness.
Omega Systems supports RIAs and investment management firms with structured incident response development, third-party risk oversight programs, and SEC-aligned cybersecurity compliance services designed to withstand examination scrutiny.
Contact our team to strengthen your Regulation S-P readiness
