Reg S-P Compliance Deadline is Coming Fast for RIAs

Written By Caitlin O'Bryant

The SEC’s amendments to Regulation S-P mark a significant shift in how investment advisers are expected to safeguard client information. While the rule has required advisers to protect customer data, the updated version introduces clearer expectations around incident response, vendor oversight, and customer notification.

For SEC-registered investment advisers (RIAs), the key date to know is June 3, 2026. Firms with less than $1.5 billion in assets under management must be fully compliant by then, and regulators have already indicated this will be an area of focus in upcoming examinations.

What Regulation S-P Covers

At its core, Regulation S-P is about protecting “customer information,” including any non-public personal data collected in the course of providing financial services. The amendments expand this focus beyond prevention to include how firms detect, respond to, and recover from cybersecurity incidents.

The rule now expects advisers to operate with a level of preparedness more akin to a formal incident response program than a basic privacy policy.

What’s Changed

The updated rule introduces several key requirements:

  • Written incident response programs: Firms must establish and maintain policies designed to detect unauthorized access, respond to incidents, and recover from disruptions. 

  • Customer notification obligations: Advisers are generally required to notify affected individuals within 30 days of becoming aware of unauthorized access to sensitive customer information. 

  • Expanded vendor oversight: Firms are responsible for ensuring service providers that access customer data maintain appropriate safeguards and notify the firm of incidents. 

  • Enhanced recordkeeping: Advisers must document incidents, responses, and compliance efforts in a way that can be reviewed during examinations. 

What This Means for RIAs

The challenge is not building a large cybersecurity infrastructure, it’s formalizing what already exists.

Many advisers already rely on custodians, administrators, and IT vendors for core systems. But under the amended rule, outsourcing those functions does not shift responsibility. Firms must be able to demonstrate that they:

  • Understand where client data resides 

  • Have clear procedures for handling incidents 

  • Can escalate and document issues quickly 

  • Maintain visibility into vendor practices 

In other words, the SEC is looking for operational readiness, not just written policies.

Where to Focus Now

With the June 3 deadline approaching, RIAs should prioritize a few foundational areas:

  • Updating policies and procedures to reflect actual workflows 

  • Establishing a clear incident response plan with defined roles 

  • Reviewing vendor agreements for security and notification provisions 

  • Mapping client data across systems and providers 

  • Ensuring documentation practices are in place 

Even simple steps like defining internal escalation triggers or running a basic incident scenario can make a meaningful difference in demonstrating compliance.

The Bottom Line

Regulation S-P is no longer just about having a privacy policy on file. It’s about proving your firm can respond effectively if an issue arises.

Pillar Compliance Group can help RIAs translate these requirements into practical, right-sized solutions whether that’s strengthening policies, formalizing incident response, or preparing for exams. With a hands-on, tailored approach, Pillar helps firms get compliant quickly and confidently.

Caitlin O'Bryant https://www.caitlinobryantdesign.com