The amended SEC Regulation S-P requires smaller RIAs to have: a written incident response program, 30-day breach notification procedures, a vendor risk management program, encryption and access controls documented, and annual program reviews. Non-compliance puts you at maximum examination risk. The 10-item checklist below maps every requirement to a concrete deliverable. Zero Delta Security's security assessment call walks through each item and identifies gaps before an SEC examiner does.
What Is SEC Regulation S-P?
Regulation S-P has existed since 2000. For most of its life, it required registered investment advisers and broker-dealers to send customers annual privacy notices — a procedural formality most RIAs treated as a compliance checkbox.
The SEC changed that in May 2024. The amended rule — formally titled "Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information" — added substantive cybersecurity requirements that go well beyond privacy notices. The 2024 amendments require covered firms to implement operational security controls that align with what the SEC already expects under the broader cybersecurity framework.
The amendment introduces three major new obligations: a written incident response program, customer notification requirements with hard timelines, and vendor oversight requirements. It also strengthens existing recordkeeping obligations and requires annual review of the entire program.
Who It Applies To
The amended Reg S-P applies to SEC-registered investment advisers, broker-dealers, investment companies, and transfer agents. The June 3, 2026 deadline applies specifically to "smaller" covered institutions. For investment advisers, that generally means firms with less than $1.5 billion in assets under management.
Larger firms — those above the $1.5B threshold — had an earlier compliance deadline of December 3, 2025. If you're reading this guide, you're likely in the smaller category with the June 3 deadline still ahead of you.
State-registered advisers are not covered by the SEC rule — but many states have parallel requirements through state securities regulators. Check with your state regulator or compliance counsel if you're state-registered. The cybersecurity controls the rule requires are best practices regardless of which regulator oversees you.
What the June 3 Deadline Actually Means
Missing the deadline doesn't trigger an automatic fine on June 4. The SEC's enforcement mechanism is the examination process — and cybersecurity has been the top examination priority for the SEC's Division of Examinations for multiple consecutive years.
Here's how it works in practice: SEC examination staff request copies of written security programs during routine exams. Firms without documented programs receive deficiency letters. Patterns of non-compliance — or incidents that occur after the deadline — escalate to enforcement referrals. For smaller RIAs, routine exams typically happen every 3–5 years. But a breach, a complaint, or a tip accelerates that timeline immediately.
The risk isn't "I'll get fined on June 4." The risk is: you're now operating out of compliance with a federal rule, and the next examination or incident creates maximum exposure.
The 10-Item Reg S-P Compliance Checklist
Work through each item. Every checkbox requires a documented, written artifact — verbal policies and informal practices don't satisfy the rule.
Written Incident Response Program
The rule requires a written incident response program that addresses detection, containment, eradication, and recovery from cybersecurity incidents involving customer information. This must be a formal written document — not an informal understanding among staff.
30-Day Customer Notification Procedures
When an incident involves customer sensitive financial information, you must notify affected customers within 30 days of becoming aware. The clock starts when you become aware — not when the breach occurred. You need written procedures for evaluating whether an incident triggers notification, drafting the notice, and sending it within the window.
Vendor Risk Assessment and Oversight Program
You must oversee service providers who access, maintain, or process customer information. This requires a written vendor oversight program — not just a vendor list. It must document how you evaluate vendor security practices, what contractual safeguards you require, and how you monitor vendors on an ongoing basis.
Data Inventory and Classification
You can't protect what you haven't mapped. The rule's safeguards requirements apply to "customer information" — which means you need to know where it lives. Custodian platforms, CRM systems, email archives, cloud storage, spreadsheets — all of it.
Encryption of Customer Data
The amended rule requires that customer information be protected by "appropriate safeguards" — and the SEC's guidance consistently identifies encryption as a baseline control. Data at rest (stored) and data in transit (transmitted) should both be encrypted. Unencrypted customer data on portable devices, email, or unsecured cloud storage is a clear red flag for examination staff.
Access Controls and Authentication
Limiting access to customer information to personnel who need it — and verifying that access with strong authentication — is a foundational safeguard under the rule. Shared passwords, no multi-factor authentication on email or custodian portals, and unrestricted access to all customer files are common examination findings.
Employee Security Training
Phishing is the leading initial access vector for financial services breaches. The rule requires that your security program address the human element. Annual training — documented with completion records — is the minimum. Given that phishing attacks targeting RIAs have increased significantly in recent years, periodic phishing simulations are worth adding.
Data Retention and Disposal Procedures
The amended Reg S-P strengthens recordkeeping requirements. You need written policies governing how long customer information is retained, in what format, and how it's disposed of when retention periods expire. Customer data sitting in forgotten email archives or decommissioned systems is both a security risk and a regulatory liability.
Annual Program Review
The amended rule explicitly requires an annual review of your security program's effectiveness. This isn't a box-check — it should result in documented findings and updates to your program. A penetration test or vulnerability assessment scheduled as part of the annual review demonstrates that the review is substantive rather than pro forma.
Recordkeeping — Written Policies and Procedures
Every element above needs to be documented in writing and retained. The amended rule extends existing recordkeeping requirements to all written policies, procedures, and documentation related to the security program. If you can't produce a written artifact during an examination, it's treated as if the control doesn't exist.
What Happens If You Miss the June 3 Deadline
No automated enforcement triggers on June 4. The SEC doesn't have a system that generates penalty notices when a deadline passes. What changes is your legal exposure for everything that happens after.
The practical consequences:
- Next examination: Examination staff will request copies of your written security program. If you don't have one, you'll receive a deficiency letter. A deficiency letter in your examination file affects future exam risk ratings and scrutiny level.
- Post-incident exposure: If a breach occurs after the deadline and you don't have the required written program, your lack of a program is now documented evidence of a rule violation — not just a gap to remediate. That's the difference between a deficiency and an enforcement referral.
- Client trust and enterprise business: Institutional clients and large RIA custodians increasingly require evidence of documented security programs as part of due diligence. Missing a regulatory deadline is a red flag in those conversations.
The good news: 21 days is enough time to get the foundational documents in place if you move now. The written incident response program, notification procedures, and vendor oversight framework can be drafted in a week with the right template and a clear understanding of what's required.
How a Security Assessment Accelerates Compliance
Several of the 10 checklist items are policy questions that your compliance counsel or internal team can address directly. But items 4 through 6 — data inventory, encryption controls, and access controls — require someone who knows what to look for technically.
A security assessment does three things for your Reg S-P compliance effort:
- Validates your data inventory. An attacker-perspective scan of your external attack surface identifies systems you may not have included in your inventory — particularly cloud services, legacy systems, and third-party integrations that handle customer data.
- Tests your technical controls. Encryption gaps, misconfigured access controls, exposed administrative interfaces, and authentication weaknesses are the findings an assessment surfaces — before an examiner or attacker does.
- Provides the independent validation the annual review requires. An external assessment report is significantly more defensible to examination staff than a self-attestation that "our controls are fine."
For the annual review component of the rule, an external penetration test or security assessment is the gold standard. The methodology page explains how we structure assessments for regulated financial services firms. See the full Reg S-P compliance guide for a deeper treatment of each requirement.
| Compliance Approach | What It Covers | Examination Defense | Time to Complete |
|---|---|---|---|
| Policy documents only (no technical testing) | Items 1–3, 7–10 (written program) | Partial — documentation present, controls unvalidated | 1–2 weeks |
| Policy documents + vulnerability scan | Items 1–10 (written program + baseline technical) | Good — documented controls with scan evidence | 2–3 weeks |
| Policy documents + penetration test | Items 1–10 (full coverage) | Strong — documented controls validated by external expert | 3–4 weeks |
With 21 days left, a vulnerability scan is achievable before the deadline. A full penetration test may push past June 3 depending on scheduling — but it satisfies the annual review requirement for the next 12 months and provides the strongest examination defense. Book the assessment now and start your written program documentation in parallel.
Download the printable checklist.
Use it in your next compliance review. Enter your email and get the print-ready Reg S-P compliance checklist — same 10 items, formatted for your files.
Don't find out about your gaps during an SEC exam.
Book a free 15-minute assessment call. We walk through your Reg S-P checklist, identify the items that need immediate attention, and scope the right engagement before June 3.
Frequently Asked Questions
The amended SEC Regulation S-P applies to SEC-registered investment advisers, broker-dealers, investment companies, and transfer agents. For the June 3, 2026 deadline specifically, the rule targets "smaller" covered institutions — generally those with less than $1.5 billion in assets under management for investment advisers. Larger firms had a December 3, 2025 deadline. State-registered advisers are not covered by the SEC rule, but many states have parallel requirements through state securities regulators.
The amended Reg S-P requires a written incident response program covering detection, containment, eradication, and recovery from cybersecurity incidents involving customer information. Key elements include: designated personnel responsible for the program, procedures for evaluating whether an incident triggers the 30-day customer notification requirement, documented escalation procedures, post-incident review processes, and annual review of the program's effectiveness. The plan must be a documented, written program — a verbal policy or informal practice does not satisfy the requirement.
Under the amended Reg S-P, covered institutions must notify affected customers within 30 days of becoming aware of a breach involving their sensitive financial information. The notification must describe the incident, the type of information involved, and remediation steps. The 30-day clock starts from the date you "become aware" — not the date the breach occurred. Covered institutions should have a documented process for evaluating whether an incident triggers notification obligations, and that process should be tested before the deadline.
The amended rule requires covered institutions to oversee service providers who access, maintain, or process customer information. This includes: (1) a written vendor oversight program documenting how you evaluate and monitor third-party security practices, (2) contractual provisions requiring vendors to implement appropriate safeguards and notify you of incidents within a defined timeframe, and (3) documented procedures for reviewing vendor security programs. Simply having a vendor agreement is not sufficient — you need evidence of ongoing oversight, not just a one-time review at contract signing.
The SEC can pursue civil monetary penalties, censures, and cease-and-desist orders for Reg S-P violations. More practically, SEC examination staff routinely request written security programs during routine exams. Firms without documented programs receive deficiency letters, which can escalate to enforcement referrals for patterns of non-compliance. Cybersecurity has been the top examination priority for the SEC's Division of Examinations for multiple consecutive years. Missing the June 3 deadline doesn't guarantee an immediate penalty — but it maximizes your legal exposure during your next exam cycle.