SEC Regulation S-P: What Smaller RIAs Need for Incident Response Compliance by June 2026

Published March 2026  ·  Continuity Strength  ·  10 min read

The SEC's amended Regulation S-P requires every registered investment adviser, broker-dealer, and investment company to implement a written incident response program, notify customers of data breaches within 30 days, document service provider oversight, and maintain compliance records. Larger entities faced a December 2025 deadline. Smaller entities, including RIAs with less than $1.5 billion in AUM, must comply by June 3, 2026.

That deadline is less than 12 weeks away. The SEC's Division of Examinations has listed Regulation S-P in its FY 2026 examination priorities. A coalition of major trade associations, including SIFMA, the Investment Adviser Association, and the American Bankers Association, requested a six-month extension of the compliance deadline. No extension has been granted. The SEC held its third and final compliance outreach event specifically for small firms in early 2026, signaling that the deadline will hold.

For smaller RIAs that have not yet built out their incident response programs, this guide walks through the four core documentation requirements: what each one requires, what examiners will look for, and how to get the documentation in place before June 3.

Who Must Comply and What Changed

Regulation S-P was originally adopted in 2000 under the Gramm-Leach-Bliley Act to protect nonpublic personal information held by financial institutions. The 2024 amendments significantly expanded its requirements in four areas: incident response, breach notification, service provider oversight, and recordkeeping.

The amended regulation applies to all broker-dealers, SEC-registered investment advisers, registered investment companies, funding portals, and transfer agents registered with the SEC or federal banking regulators. The SEC established a tiered compliance timeline: larger entities (RIAs with $1.5 billion or more in AUM, investment companies with $1 billion or more in net assets) had until December 3, 2025. Everyone else has until June 3, 2026.

Two definitional changes matter for understanding the scope:

• Customer information now covers any record containing nonpublic personal information about a customer, regardless of format (paper, electronic, or otherwise), including information maintained by a service provider on the firm's behalf.
• Sensitive customer information is the subset that triggers notification requirements. It includes Social Security numbers, driver's license or passport numbers, tax identification numbers, biometric identifiers, and account credentials (usernames combined with passwords or security codes).

The distinction matters because the incident response program must address all customer information, but the breach notification obligation is triggered only when sensitive customer information is accessed or likely to have been accessed without authorization.

Requirement 1: Written Incident Response Program

The core obligation is to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.

The SEC deliberately chose not to prescribe the specific steps an incident response program must contain, who must oversee it, or how frequently it must be updated. This gives firms flexibility but also means examiners will assess whether the program is reasonable for the firm's size, complexity, and risk profile.

At minimum, a compliant incident response program should include documented procedures for:

• Detection: How the firm identifies unauthorized access. This includes monitoring systems, access logs, alerts from service providers, and employee reporting mechanisms.
• Assessment: How the firm evaluates the nature and scope of an incident once detected. Which systems were affected? What types of customer information were potentially exposed? What is the severity?
• Containment: What immediate steps the firm takes to stop the unauthorized access and prevent further exposure. This includes system isolation, credential resets, and forensic preservation.
• Recovery: How the firm restores normal operations, addresses vulnerabilities, and prevents recurrence.
• Notification determination: The process for determining whether the incident requires customer notification (see Requirement 2 below).
• Roles and responsibilities: Who leads the response, who makes notification decisions, and who communicates with customers, regulators, and service providers.

If your firm has never conducted a tabletop exercise, plan one before June 3. A tabletop exercise is a structured walkthrough of a simulated incident scenario. Participants talk through their roles and decisions without activating actual systems. The exercise produces documentation of the scenario tested, decisions made, gaps identified, and corrective actions planned. That documentation becomes direct evidence of compliance.

Requirement 2: Customer Breach Notification

When a firm becomes aware that sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, it must notify affected individuals. The notification must be provided as soon as reasonably practicable but no later than 30 days after the firm becomes aware of the incident.

There is a narrow exception: if a reasonable investigation determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a way that could cause substantial harm or inconvenience, notification may not be required. However, the firm must document the investigation, its findings, and the basis for the determination. If in doubt, the SEC has indicated that firms should err on the side of notifying.

The notification itself must include:

• A description of the incident in general terms
• The types of sensitive customer information that were or may have been accessed
• The firm's contact information for customer inquiries
• Information about steps the firm has taken or plans to take in response

If the firm cannot identify which specific individuals were affected, it must notify all individuals whose sensitive customer information resides in the compromised system. The notification must be clear and conspicuous, meaning it cannot be buried in fine print, a routine mailing, or a general newsletter.

Firms should prepare template notification letters before an incident occurs. Having pre-approved templates for different incident types (data breach, ransomware, unauthorized employee access, vendor breach) significantly reduces response time and ensures the 30-day window is met.

Requirement 3: Service Provider Oversight

The amended Regulation S-P extends data protection responsibility beyond the firm's own operations to its service providers. Firms must establish, maintain, and enforce written policies and procedures for the oversight of service providers that receive, maintain, process, or otherwise have access to customer information.

This oversight obligation has three components:

• Due diligence before engagement: Before contracting with a service provider that will access customer information, the firm must assess the provider's ability to safeguard that information.
• Contractual provisions: Service agreements must include provisions requiring the provider to implement and maintain safeguards, report security incidents to the firm, and cooperate with breach response. Service providers are expected to notify the firm of a security incident within 72 hours.
• Ongoing monitoring: The firm must periodically assess whether the service provider continues to maintain adequate safeguards. This is not a one-time review at onboarding.

Firms can contractually delegate the customer notification responsibility to a service provider (for example, if the breach occurs at the provider's systems). However, the ultimate responsibility for ensuring notification happens remains with the firm. Delegation does not eliminate accountability.

The practical step is to review every service provider agreement that involves access to customer information. Confirm that each agreement includes incident response obligations, notification timelines, and cooperation requirements. For providers without these provisions, either amend the agreement or assess whether the relationship introduces unacceptable risk. A structured vendor resilience assessment documents this due diligence in a format that satisfies examiner expectations.

Requirement 4: Recordkeeping

The amendments introduce specific recordkeeping requirements that codify what has been implicit in prior examination practice. Firms must maintain written records documenting:

• Written policies and procedures for the incident response program
• Written policies and procedures for customer information disposal
• Records of any detected unauthorized access incidents and the firm's response
• Investigations and determinations regarding whether customer notification was required, including the basis for any determination
• Written agreements with service providers regarding customer information protection and notification responsibilities
• Any communication from the U.S. Attorney General related to a delayed notification

Retention periods differ by entity type. Investment advisers must retain these records for at least five years. Broker-dealers must retain them for at least three years.

The recordkeeping requirement is not aspirational. When an SEC examiner requests documentation of your incident response program, they expect to see a complete record: the written plan, evidence of testing, logs of any incidents, documentation of notification decisions, and copies of service provider agreements with the relevant provisions. Producing this documentation after the fact is both difficult and unconvincing.

A Practical Compliance Path for Smaller Firms

For firms approaching the June 3 deadline that have not yet built out their compliance documentation, the path forward is straightforward even if the timeline is compressed:

1. Assess your current state. What incident response documentation exists today? Many firms have some form of cybersecurity policy or business continuity plan but lack the specific incident response procedures the amendments require. Identify the gaps between what you have and what the regulation requires.
2. Build or update your incident response plan. This is the core deliverable. It must include detection, assessment, containment, recovery, notification, and role assignments. It must be written, not informal. Continuity Strength produces audit-ready incident response documentation that addresses each of these elements and generates the recordkeeping evidence examiners expect.
3. Review service provider agreements. Identify every vendor with access to customer information. Confirm that contracts include incident response obligations and notification timelines. Flag agreements that need amendment.
4. Prepare notification templates. Draft breach notification letters for different incident scenarios. Establish the internal workflow for who approves notifications and how they are delivered.
5. Conduct a tabletop exercise. Walk through a realistic incident scenario with your response team. Document the exercise, including the scenario, participants, decisions made, gaps identified, and remediation steps. This produces direct evidence that your program has been tested.
6. Organize your records. Establish a centralized repository for all Reg S-P compliance documentation. Ensure the retention policy matches your entity type (five years for RIAs, three years for broker-dealers).

None of these steps require hiring a law firm or a Big Four consultant. They require structured documentation that demonstrates your firm can detect, respond to, and recover from a data incident involving customer information. The regulation is not asking for perfection. It is asking for a program that is reasonably designed and demonstrably maintained.