Home Features Archiving Trade Monitoring Vendor Due Diligence Marketing Reviews Content Library Form ADV Forms & Tasks AI Consultant Reporting Documents Pricing Blog About Sign in Request demo

Regulation S-P: What RIAs Must Do Now (2026 Guide)

RegFin Team July 13, 2026 13 min read

Regulation S-P (17 CFR Part 248) is the SEC's privacy and safeguarding rule for broker-dealers, investment companies, and SEC-registered investment advisers. The SEC amended it in May 2024 to require a written incident response program, customer breach notification within 30 days, and formal oversight of service providers. Every covered firm, large or small, must comply today.

That last point deserves emphasis. Most of what you'll find online about the Reg S-P amendments was written in 2024 and 2025, when firms were counting down to a deadline. The countdown is over. Larger firms had to comply by December 3, 2025, and everyone else by June 3, 2026. If you run compliance at an RIA, the question is no longer "how do we prepare?" It is "does our program actually do what the rule says, and can we prove it?"

This guide walks through the rule as it stands in 2026, written for RIA principals and CCOs, with citations to the rule text and SEC releases throughout.

What is Regulation S-P?

Regulation S-P implements the privacy and data-security requirements of the Gramm-Leach-Bliley Act (GLBA) for firms the SEC regulates. It was adopted in 2000 and sits at 17 CFR Part 248, Subpart A. Before the 2024 amendments, it had three main jobs:

  • Privacy notices and opt-out rights. Firms must give customers initial (and in some cases annual) notices describing what nonpublic personal information they collect and share, and let consumers opt out of certain sharing with nonaffiliated third parties.
  • The Safeguards Rule (§ 248.30(a)). Firms must adopt written policies and procedures with administrative, technical, and physical safeguards to protect customer records and information.
  • The Disposal Rule (§ 248.30(b)). Firms must take reasonable measures to protect customer and consumer information against unauthorized access when disposing of it.

The disposal obligation is not theoretical. In 2022 the SEC fined Morgan Stanley Smith Barney $35 million after decommissioned servers and hard drives containing unencrypted customer data ended up in an online auction. The order charged violations of both the Safeguards Rule and the Disposal Rule.

What changed in the 2024 amendments?

On May 16, 2024, the SEC adopted the most significant overhaul of Reg S-P since its adoption (Press Release 2024-58; Release No. 34-100155). The amendments took effect August 2, 2024, with staggered compliance dates that have both now passed. Four changes matter most for RIAs:

Requirement What it demands Where it lives
Incident response program Written policies and procedures to assess, contain, and respond to unauthorized access to or use of customer information § 248.30(a)(3)
Customer notification Notice to affected individuals as soon as practicable, and no later than 30 days after the firm becomes aware the incident occurred or is reasonably likely to have occurred § 248.30(a)(4)
Service provider oversight Written policies requiring due diligence and monitoring of vendors, reasonably designed to ensure providers protect customer information and notify the firm within 72 hours of a qualifying breach § 248.30(a)(5)
Expanded scope + records Safeguards and disposal duties cover all customer information the firm holds, with written records proving compliance § 248.30(c), (d)

The scope change is easy to overlook. "Customer information" now means any record containing nonpublic personal information about a customer of a financial institution, in any form, that the firm possesses or that is handled or maintained on its behalf, including at service providers. That includes information about people who are not your customers, such as data another institution shared with you. If it sits in your systems, you safeguard it.

Who must comply with Reg S-P, and by when?

The amendments apply to what the SEC calls "covered institutions": broker-dealers (including funding portals), investment companies, SEC-registered investment advisers, and transfer agents registered with the SEC or another appropriate regulatory agency. The Small Entity Compliance Guide set two compliance dates, both of which have passed:

Firm type Compliance deadline
Larger entities, including RIAs with $1.5 billion or more in regulatory AUM and investment companies with $1 billion or more in net assets (together with related funds) December 3, 2025
All other covered institutions, including every smaller SEC-registered RIA June 3, 2026

Two edge cases worth naming:

  • State-registered advisers are not covered institutions. They answer instead to the FTC's parallel GLBA rules, including the FTC Safeguards Rule at 16 CFR Part 314, and to state privacy and breach-notification statutes. Those regimes impose related, but not identical, privacy and security obligations.
  • State breach laws still apply on top. Reg S-P notification does not replace the breach-notification statutes in effect in all 50 states. A single incident can start both clocks at once, so an incident response plan should map the federal and state notice duties together.

What is a Reg S-P incident response program?

Under § 248.30(a)(3), a covered firm's written policies must include an incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The rule text requires procedures to:

  1. Assess the nature and scope of the incident, and identify the customer information systems and the specific information involved.
  2. Contain and control the incident to prevent further unauthorized access or use.
  3. Notify affected individuals under the notification provisions described below.

In practice, an RIA needs a right-sized written program that names who leads an incident, identifies the systems and vendors in scope, explains how the firm assesses what was touched, what containment looks like for its actual systems (custodian portal, CRM, email, file storage), when counsel and insurers get called, and who drafts and sends notices. The rule does not demand a security operations center. It demands a written program proportionate to the firm's systems, vendors, data, and risks, and followed when something happens.

A common miss: the program has to cover information held at service providers, not just information on your own servers. If your portfolio accounting vendor is breached, your incident response program is what governs your firm's next 30 days.

How does the 30-day breach notification clock work?

Section 248.30(a)(4) requires notice to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The timing rule is exact: notice must go out "as soon as practicable, but not later than 30 days" after the firm becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.

Three details determine how this plays out in a real incident:

  • The trigger is awareness, not final confirmation. The 30-day period begins when the firm becomes aware that unauthorized access or use has occurred or is reasonably likely to have occurred. A reasonable investigation happens inside the 30 days, not before they start.
  • There is a no-harm off-ramp, and it defaults to notice. A firm may skip notification only if, after a reasonable investigation, it determines the sensitive customer information has not been, and is not reasonably likely to be, used in a way that would result in substantial harm or inconvenience. If you cannot make that determination, you notify. The presumption runs toward the customer.
  • "Sensitive customer information" is broad. It covers any component of customer information whose compromise, alone or with other information, could create a reasonably likely risk of substantial harm or inconvenience. Think Social Security numbers, government IDs, biometrics, or an account number paired with a credential.

One more scoping rule with teeth: if the firm cannot determine which specific individuals' sensitive customer information was affected, notice goes to every individual whose sensitive customer information resides in the affected system, unless a reasonable investigation shows their information was not accessed or used. "We couldn't tell whose data it was" widens the notice list, it doesn't shrink it.

The notice itself has required content: a general description of the incident, the type of sensitive information involved, the date or date range if determinable, firm contact information, and identity-protection guidance such as how to place fraud alerts, review account statements, and reach the FTC's identity-theft resources. A narrow delay is available only where the U.S. Attorney General determines notice would pose a substantial risk to national security or public safety, which is not a path most RIAs should plan around.

If your incident response plan cannot produce an approved, populated notice letter within a week, the 30-day ceiling will feel much shorter than it sounds. Template the letter now, while nothing is on fire.

What does Reg S-P require for service providers?

Section 248.30(a)(5) makes vendor oversight a rule requirement rather than a best practice. A covered firm's written policies must require oversight of service providers, including through due diligence and monitoring, reasonably designed to ensure two things:

  1. The provider protects customer information it receives or maintains on the firm's behalf, and
  2. The provider notifies the firm as soon as possible, and no later than 72 hours, after becoming aware of a breach resulting in unauthorized access to a customer information system.

For an RIA, "service provider" reaches most of the operational stack: custodial data feeds, portfolio management and reporting platforms, CRMs, email and file hosting, billing tools, and outsourced staff who touch client data. The firm can contract for a provider to send customer notices on its behalf, but the regulatory responsibility for timely, compliant notice stays with the firm.

Operationally, this section of the rule is a standing program, not a one-time paper exercise:

  • Keep a current inventory of vendors with access to customer information.
  • Run documented due diligence before onboarding and on a recurring cycle, including how the firm ensures each provider will deliver the 72-hour notification. Many firms handle that in the contract, though the rule requires reasonably designed policies and procedures, not a written contract.
  • Monitor for changes: SOC 2 report findings, subprocessor changes, incidents in the news.
  • Keep the evidence. Examiners ask for the file, not a description of the process.

This is the part of Reg S-P where software earns its keep. RegFin's Vendor Due Diligence module keeps the vendor inventory, review schedule, document requests, and AI-assisted SOC 2 review in one place, so the oversight record the rule requires builds itself as you work.

What are the recordkeeping and privacy notice changes?

The amendments added recordkeeping requirements for each registrant type; for advisers, they fold into the Rule 204-2 books-and-records requirements. Advisers must make and maintain written documentation of the policies and procedures the rule requires, records of any incident and the firm's response and any determinations made, records of customer notices, and documentation of service provider oversight. During an exam, "we contained it and decided notice wasn't required" only counts if the investigation and the no-harm determination were written down at the time.

The amendments also conformed the annual privacy notice to the FAST Act exception: a firm need not deliver an annual privacy notice if it only shares nonpublic personal information under exceptions that don't trigger opt-out rights and hasn't changed its policies and practices since its last notice. Many RIAs qualify, but document the eligibility analysis instead of assuming it.

What happened to the SEC's other cybersecurity proposals?

The SEC withdrew them. In 2022 and 2023 the Commission had proposed a dedicated cybersecurity risk management rule for advisers and funds and a sweeping "safeguarding rule" rewrite of the custody rule. On June 12, 2025, it formally withdrew those proposals, along with twelve others, and stated that any future action in those areas would restart the rulemaking process.

The practical takeaway for an RIA: the amended Regulation S-P is not the placeholder, it is the rule. It is currently the binding federal data-security and breach-notification framework for SEC-registered advisers, and reviving the withdrawn cybersecurity or safeguarding initiatives would require a new rulemaking proposal from scratch.

What will SEC examiners expect now?

The Division of Examinations named preparedness for the Reg S-P amendments, alongside cybersecurity and operational resiliency, in its 2026 examination priorities, and SEC staff hosted a compliance outreach session on Reg S-P for smaller firms in January 2026. With both deadlines passed, gaps that used to be "in progress" are now deficiencies.

A reasonable exam-readiness self-check for an RIA:

  1. The documents exist. Written safeguards policies, the incident response program, and disposal procedures, all updated to reference the amended rule, not the 2000-era version.
  2. The scope is right. Policies cover customer information broadly, including data about non-clients received from other institutions, and information held at vendors.
  3. The vendor file is current. Inventory, due diligence records, monitoring notes, and documentation of how each provider with access to customer information will meet the 72-hour notification expectation.
  4. The notice machinery works. A notice template with the required content, a decision tree for the no-harm exception, and named owners for the 30-day clock.
  5. The records prove it. The required set: records of detected incidents, assessments, containment and recovery steps, provider notifications, customer notices, and the basis for any "investigated, no notice required" determination. For advisers these generally live under Rule 204-2, preserved for five years with the first two easily accessible. On top of that, tabletop exercise notes, near-miss logs, and annual-review documentation are the prudent extras examiners like to see.

Reg S-P work also feeds your broader program. The annual compliance review under Rule 206(4)-7 should cover these policies, and the same evidence trail supports it. If you're building that muscle, start with our RIA compliance guide and the RIA compliance requirements explainer, or work from the RIA compliance checklist. Examiners are watching advertising just as closely, with a fourth Marketing Rule risk alert issued in December 2025: our SEC Marketing Rule guide covers that rule in the same depth.

The bottom line for RIAs

Regulation S-P stopped being a privacy-notice formality in 2024. It is now the SEC's operative data-security rule for advisers: a written incident response program, a 30-day customer notification ceiling, vendor oversight built around 72-hour breach notice to the firm, expanded coverage of customer information, and records that prove all of it. The deadlines have passed, any revival of the withdrawn proposals would take a fresh rulemaking, and examiners get to assume your program is running.


RegFin gives RIAs one place to run the compliance program Reg S-P assumes: vendor due diligence, incident documentation, policy management, and exam-ready evidence trails. Request a demo to see it with your own vendor list.

Frequently asked questions

What does Regulation S-P mean?
Regulation S-P is the SEC rule, codified at 17 CFR Part 248, that implements the Gramm-Leach-Bliley Act for SEC-registered firms. It requires privacy notices and opt-out rights, written safeguards for customer information, secure disposal, and, since the 2024 amendments, an incident response program with 30-day customer breach notification.
Who has to comply with Regulation S-P?
The SEC applies Reg S-P to "covered institutions," meaning broker-dealers (including funding portals), investment companies, SEC-registered investment advisers, and transfer agents. State-registered advisers are not covered. They fall under the FTC's parallel Gramm-Leach-Bliley rules and state privacy and breach-notification laws.
What is the new Reg S-P rule?
In May 2024 the SEC adopted amendments (Release No. 34-100155) requiring covered firms to maintain a written incident response program, notify affected individuals of a breach within 30 days, oversee service providers through due diligence and monitoring, and keep records proving all of it. Compliance became mandatory for all firms by June 3, 2026.
What is the Reg S-P 72-hour rule?
A covered firm's policies must be reasonably designed to require its service providers to notify the firm as soon as possible, and no later than 72 hours, after the provider becomes aware of a breach resulting in unauthorized access to a customer information system. The firm then owns the customer-notification obligation.
Does Regulation S-P apply to state-registered RIAs?
No. Reg S-P covers SEC-registered advisers. State-registered advisers are subject to the FTC's Gramm-Leach-Bliley privacy and safeguards rules (16 CFR Parts 313 and 314) and to state privacy and breach-notification statutes, which impose related, but not identical, duties.
What is the difference between Regulation S-P and Regulation S-ID?
Both live in 17 CFR Part 248. Reg S-P governs privacy notices, safeguarding, disposal, and breach response for customer information. Regulation S-ID is the identity-theft red flags rule, which requires firms that maintain covered accounts to run a program that detects and responds to warning signs of identity theft.

Sources

  1. 17 CFR Part 248, Subpart A (Regulation S-P, current text) — eCFR
  2. Final Rule: Regulation S-P (Release No. 34-100155) — U.S. SEC
  3. SEC Adopts Rule Amendments to Regulation S-P (Press Release 2024-58) — U.S. SEC
  4. Regulation S-P Amendments, Federal Register (89 FR 47688) — Federal Register
  5. Regulation S-P Amendments: A Small Entity Compliance Guide — U.S. SEC
  6. Notice of Withdrawal of Proposed Regulatory Actions (Release No. 33-11377) — U.S. SEC
  7. Morgan Stanley Smith Barney to Pay $35 Million (Press Release 2022-168) — U.S. SEC
  8. 16 CFR Part 314, FTC Safeguards Rule — eCFR
  9. Division of Examinations, Fiscal Year 2026 Examination Priorities — U.S. SEC
Share this article

Ready to simplify your compliance?

See what RegFin can do for your RIA's compliance program.