The SEC's amended Reg S-P compliance deadline for smaller RIAs is June 3, 2026 — 34 days away. New requirements: written incident response program, 30-day customer notification window, vendor management program with contractual safeguards, annual program reviews. An external attack surface assessment feeds directly into the incident response program documentation SEC examiners look for.
June 3, 2026 — 34 days from today. Smaller RIAs must have written incident response programs, vendor oversight documentation, and customer notification procedures in place. This is not a proposal. The amended rule is in effect and enforceable.
What Changed: The Amended Reg S-P vs. The Original
Most RIA compliance officers know Regulation S-P as the rule that requires annual privacy notices to customers. That's what the original 2000 rule was — a disclosure requirement, not a security standard.
The SEC's May 2024 amendments are a different animal entirely. The amended rule transforms Reg S-P from a privacy notice requirement into a comprehensive data security mandate. Here's how the two versions compare:
| Requirement | Original Reg S-P (2000) | Amended Reg S-P (2024) |
|---|---|---|
| Privacy notices | Required annually | Still required |
| Incident response program | Not required | Written program required by name |
| Breach notification | Not required | 30 days from discovery, mandatory |
| Vendor oversight | Not required | Written program + contractual safeguards required |
| Annual review | Not required | Required — effectiveness must be assessed |
| Recordkeeping | Privacy notices | All written programs, policies, procedures |
The enforcement timeline split firms by size. Larger firms — those with $1.5 billion or more in assets under management — had an 18-month compliance window, putting their deadline at December 3, 2025. That deadline has passed. Smaller RIAs got 24 months: June 3, 2026. That deadline is 34 days away.
If you've been watching the larger-firm deadline and assuming the smaller-firm deadline was further off, now is the time to recalibrate. Thirty-four days is not a comfortable runway — especially if you don't yet have a written incident response program in place.
The New Requirements in Detail
The amended rule has five core requirements. Each one has specific teeth — not guidance, not best practices, but written mandates that SEC examiners will ask to see documentation for.
The written incident response program requirement is the one that trips up smaller RIAs most often. It's not enough to have a general sense of what you'd do in a breach — you need a documented plan that specifically addresses detection (how do you know an incident occurred?), containment (how do you stop it from spreading?), and recovery (how do you restore normal operations and protect remaining data?).
The 30-day notification window is deliberately tight. State breach notification laws often have longer windows or trigger only above certain thresholds. The amended Reg S-P requirement is separate from and in addition to state law obligations. You need a notification workflow designed to execute within 30 days of discovery — not 30 days after you've finished investigating.
What SEC Examiners Look For
SEC OCIE (now EXAMS) has published cybersecurity examination observations consistently since 2015. The pattern of what examiners ask for is well-documented. Firms that prepare specifically for exam requests consistently receive better outcomes than firms that have robust programs but can't produce documentation efficiently.
In cybersecurity examinations, examiners consistently request:
- Written policies and procedures — the actual documents, not a description of them. If it's not written down, it doesn't exist for exam purposes.
- Evidence of testing — penetration test reports, vulnerability assessment results, tabletop exercise records. The annual review requirement requires evidence of effectiveness, and testing is the primary mechanism.
- Vendor inventory — a list of all third-party service providers with access to customer information, with documentation of oversight for each.
- Vendor contracts — agreements that include security safeguard provisions. Custodian agreements often have these; CRM and billing software agreements often do not.
- Access control documentation — MFA configuration, admin access logs, user access reviews. Examiners look for principle of least privilege in practice.
- Incident response tabletop evidence — records showing the team has walked through scenarios, not just that a written plan exists.
The 2024 SEC exam priorities letter called out incident response programs and vendor management specifically as focus areas for RIA examinations. These are not peripheral concerns — they are the primary lens through which examiners will evaluate Reg S-P compliance for the next several exam cycles.
The Vendor Oversight Requirement Is Often the Hardest
Smaller RIAs typically run on 5–15 technology vendors: a custodian (Schwab, Fidelity, Pershing), a CRM (Salesforce, Redtail, Wealthbox), portfolio management software, compliance software, billing tools, document management, and often several smaller point solutions. Every one of these vendors that touches customer information is subject to the oversight requirement.
The practical challenge is that the oversight requirement has two components that are often confused:
Component 1 — Written vendor management program. You need a documented process for evaluating vendors' security practices before onboarding them and periodically reviewing them afterward. This doesn't require you to audit every vendor annually, but you need a documented framework for how you assess and monitor them.
Component 2 — Contractual safeguards. Your vendor agreements need to include security obligations. Custodians — who operate in a heavily regulated environment — generally already have these provisions. Your CRM vendor, your billing software provider, your document management tool? Often not. These contracts need to be reviewed and, if necessary, amended or supplemented with data processing addenda that include security obligations.
A common mistake is assuming that because your custodian has a robust security program, your vendor oversight obligation is covered. It isn't. The custodian's security program satisfies the custodian's regulatory obligations. Your obligation under Reg S-P is to maintain your own written oversight program that documents how you've evaluated and monitored each vendor — including the custodian.
The second common mistake is assuming that cloud vendors' SOC 2 reports fully satisfy the contractual safeguard requirement. SOC 2 reports are useful evidence of a vendor's security posture, but they don't substitute for contract provisions that give you specific rights and protections in the event of an incident — including notification obligations that align with your 30-day customer notification window.
How Zero Delta Security Helps
Reg S-P requires both a written program and evidence that you've tested it. An external attack surface assessment gives you the foundational technical input your written program needs — and the examination-ready documentation that backs it up.
Here's how our assessment maps to Reg S-P requirements:
| Reg S-P Requirement | What ZDS Delivers |
|---|---|
| Written incident response program — risk identification | External scan findings document your internet-facing risk exposure — the first input to any IRP risk section |
| Annual review — evidence of testing | Assessment report is dated, signed technical evidence of periodic testing that satisfies the annual review requirement |
| Asset inventory | Our scan surfaces all internet-facing assets associated with your organization — including assets you may not know exist |
| Examination documentation | Report is formatted for production to SEC examiners — not a raw tool output, but a structured findings document |
Our free external scan runs in minutes and gives you an immediate view of your internet-facing exposure. A full assessment takes 5–7 business days and produces the structured report you can present during an SEC examination. Both are available now, which matters when you have 34 days left before the deadline.
Our methodology is documented publicly on the methodology page. Pricing is transparent and published on the pricing page — no custom quotes, no hidden fees.
34 Days to Deadline — Start Now
An external scan takes minutes. A full assessment takes 5–7 business days. Use both to start your Reg S-P documentation package before June 3.
Frequently Asked Questions
The SEC's amended Regulation S-P (adopted May 2024) requires registered investment advisers and broker-dealers to implement comprehensive data security programs. Larger firms had an 18-month compliance deadline (December 3, 2025). Smaller RIAs and broker-dealers (those with fewer than $1.5 billion in assets under management) have a 24-month deadline: June 3, 2026. As of April 30, 2026, that's 34 days away. The amended rule is not a proposal — it's in effect and enforceable.
The amended Reg S-P requires: (1) A written incident response program that addresses detection, containment, and recovery from cybersecurity incidents. (2) Customer notification within 30 days of discovering an incident involving customer information. (3) Oversight of service providers — including a written vendor management program and safeguards in vendor contracts. (4) Annual review of the program's effectiveness. (5) Recordkeeping requirements for all written programs, policies, and procedures. These requirements go significantly beyond the original Reg S-P privacy notice requirements.
Non-compliance with Reg S-P is an enforcement matter for the SEC's Division of Examinations and Division of Enforcement. SEC examiners routinely ask for copies of written security programs during routine examinations. Firms without documented programs face deficiency letters, enforcement referrals, and civil monetary penalties. OCIE exam observations from 2023–2024 show cybersecurity as the top examination priority for RIAs. Missing the deadline doesn't result in an automatic fine — but it puts you at maximum risk during the next exam cycle, which for smaller RIAs is typically every 3–5 years.
SEC OCIE cybersecurity exam observations consistently identify: lack of written policies and procedures, inadequate vendor oversight (no contracts or safeguards with custodians/TPAs), insufficient testing (no penetration tests, no vulnerability assessments), poor access controls (no MFA, excessive admin access), and inadequate incident response capabilities. The 2024 exam priorities letter specifically called out incident response programs and vendor management as focus areas for RIA examinations. Firms that have documented these programs with evidence of implementation consistently receive better exam outcomes.
Reg S-P requires both a written program and evidence that you've tested it. An external attack surface assessment gives you: (1) a documented inventory of internet-facing assets and their security posture, (2) findings that feed into your written incident response program's risk identification component, (3) evidence of periodic technical testing that satisfies the annual review requirement, and (4) a report you can produce during an SEC examination to demonstrate active program maintenance. Zero Delta Security's assessment is designed to produce deliverables that align with what SEC examiners look for.