The June 3, 2026 compliance deadline under the U.S. Securities and Exchange Commission's amended Regulation S-P has now passed, and smaller SEC-regulated entities are expected to demonstrate full compliance with the rule's enhanced safeguards and incident response requirements. The deadline applied to registered investment advisers with less than $1.5 billion in assets under management, along with certain broker-dealers and other SEC-regulated entities that fall within the scope of the amendments.
The amendments to Regulation S-P are designed to strengthen the protection of consumer financial information held by covered firms. Among the most significant requirements, covered entities must now adopt and maintain a written incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. Critically, that program must include defined customer notification procedures, ensuring that affected individuals receive timely communication when their information may have been compromised.
Beyond the incident response framework, the amended rule reinforces broader expectations around how firms handle, transmit, and store consumer financial information. Covered entities should ensure that policies, vendor oversight procedures, and internal training reflect the updated standards, and that documentation supports a clear record of implementation. The SEC has signaled that compliance with the Regulation S-P amendments will be a priority during examinations later this year, meaning that program design alone will not be sufficient; firms should be prepared to show how the program operates in practice.
For smaller advisers and broker-dealers that have only recently completed implementation, now is an appropriate time to confirm that key elements are documented, tested, and integrated with existing cybersecurity, privacy, and recordkeeping obligations. Areas warranting particular attention include the scope of covered information, escalation pathways for suspected incidents, the timing and content of customer notifications, and oversight of service providers with access to customer data. Firms that have not yet completed implementation should treat the matter as time-sensitive, given the SEC's stated examination focus.
This alert is provided for general informational purposes only and does not constitute legal advice. Clients facing specific questions about Regulation S-P compliance or examination readiness should seek tailored advice based on their particular circumstances.