Regulation S-P Breach Notification Requirements Explained

The 30-Day Clock Is Running

Reg S-P is now in force for all SEC-registered advisers. Both compliance dates have passed, and the rule is a named SEC FY2026 examination priority.

When a firm experiences a data breach involving client information, the SEC's amended Regulation S-P starts a 30-day clock. Miss it, and you are looking at deficiency letters, corrective action plans, and, in cases with aggravating factors, enforcement referrals.

Most small RIAs understand they need an incident response plan. Fewer have thought carefully about what happens in the final, most visible stage of that plan: the obligation to notify clients.

This guide explains exactly what triggers the notification requirement, who must receive notice, what the notice must say, and what SEC examiners will want to see when they review your program.

What the Rule Requires

The amended Reg S-P, formally codified as Rule 248.30(b), requires every covered institution to notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed without authorization. The notification must be provided as soon as practicable, and no later than 30 calendar days after the firm becomes aware of the incident.

That phrase, "becomes aware," is doing significant work. It does not require certainty that data was stolen or misused. A reasonable basis to believe that unauthorized access occurred or was likely starts the clock. A phishing email that a staffer clicked, a misconfigured cloud storage bucket discovered by an IT review, a credential exposure identified in a dark-web scan: all of these can trigger the 30-day requirement even if the firm cannot yet confirm that client data was actually exfiltrated.

The rule applies to any "covered institution," which includes SEC-registered investment advisers, broker-dealers, investment companies, and transfer agents. If your RIA is SEC-registered, you are subject to the requirement.

What Counts as Sensitive Customer Information

Not every security incident triggers the notification obligation. The breach notification requirement applies specifically to "sensitive customer information," which the amended rule defines as:

• Social Security numbers or taxpayer identification numbers
• Driver's license numbers or government-issued identification numbers
• Account numbers, credit or debit card numbers
• Any security code, access code, or password that would allow access to a financial account
• Biometric records
• Any combination of information that, in context, could be used to commit identity theft or financial fraud

A firm whose network was accessed by an unauthorized party but whose client-facing data was limited to names and email addresses is in a different position than one whose account login credentials or account numbers were exposed. The distinction matters for determining whether the notification obligation applies and how to scope the affected-individual population.

What the Notice Must Contain

The SEC has prescribed specific content requirements for breach notification letters. Your notice must include:

A description of the incident. Written in plain language, explaining what happened in general terms. You do not need to reveal your forensic investigation findings, but affected individuals need enough context to understand what occurred.

The type of information involved. Which categories of sensitive customer information were accessed or are reasonably likely to have been accessed. Be specific about data types without disclosing information that could help bad actors.

The timing of the incident. The date of the incident, or if you do not know the exact date, an estimated date or range.

Protective measures taken by the firm. Steps you have taken or are taking to contain the incident, recover affected systems, and prevent recurrence. This demonstrates to clients, and to the SEC, that your firm responded rather than simply notified.

Guidance for affected individuals. Concrete steps the recipient can take to protect themselves, including placing a fraud alert or credit freeze with the major credit bureaus, monitoring account statements, and contacting your firm if they notice suspicious activity.

The SEC's expectation is that these notices are clear enough that an ordinary client can read and act on them. Vague, heavily lawyered language that obscures rather than communicates will not satisfy the rule and may not protect the firm if the notification is later scrutinized.

The Exam-Readiness Angle

The SEC has flagged Reg S-P as an FY2026 examination priority, and breach notification is one of the areas where examiner document requests get specific. If your firm receives a Reg S-P request list, expect to produce:

• Your written incident response program, including breach notification procedures
• Any incident logs or records documenting incidents that occurred since your compliance date
• For any incidents that triggered notifications: copies of the notifications sent, the population of affected individuals, the date you became aware of the incident, and the date notifications were sent
• Documentation of any law enforcement delay requests
• Records showing annual review of your incident response program

The most common deficiency in this area is not the absence of a notification requirement in the written policy. It is the gap between what the policy says and what the firm actually did (or could prove it did). Firms that experienced incidents but have no contemporaneous incident log entries, no notification records, and no evidence of a root-cause review will struggle to demonstrate compliance in an exam setting.

Even if your firm has not experienced an incident since the compliance date, examiners will still review your written procedures to verify they meet the rule's requirements. A policy that references "prompt notification" without specifying the 30-day deadline, or that limits notifications to cases of "confirmed" breach rather than "reasonably likely" breach, may generate a deficiency comment even with a clean incident record.

Interaction with State Data Breach Laws

Reg S-P's 30-day notification window is a federal floor, not a ceiling. States have their own breach notification statutes, and most of them apply regardless of whether the firm is SEC-registered. A firm with clients in New York, California, and Texas may be subject to three separate state regimes, each with different:

• Covered data definitions (some states are broader than Reg S-P's "sensitive customer information" list)
• Notification timelines (several states require notification in under 30 days, some as short as 72 hours for certain incident types)
• Regulator-notification requirements (some states require notifying the state attorney general, insurance commissioner, or consumer protection agency in addition to affected individuals)
• Content and format requirements (some states specify delivery method, minimum font size, or required disclosures)

Federal Reg S-P compliance does not protect a firm from state enforcement actions for the same breach. Firms with a multi-state client base should map their state law obligations as part of their written incident response program, not as an afterthought.

Building Your Notification Program

A compliant breach notification program has five components. All five need to be documented in writing, reviewed at least annually, and tested against realistic scenarios.

1. Incident identification triggers. Define the threshold for initiating your breach response. At what point does an event become an "incident" requiring the 30-day clock to start? Your policy should name specific event types (credential compromise, unauthorized access to client data systems, lost or stolen devices containing client information) and assign someone responsible for making the threshold determination.

2. Initial assessment checklist. When a potential incident is identified, a defined checklist should guide the first 24 to 72 hours: engage IT or your managed security provider, document what is known, preserve forensic evidence, determine the initial scope of affected data, and notify the designated incident response lead.

3. Affected-individual identification process. How will you determine which clients are affected? This requires knowing where your sensitive client data lives: your CRM, your custodian systems, any cloud storage or file-sharing tools with client records. Firms that cannot quickly enumerate their client data map will struggle to scope their notification obligations under time pressure.

4. Notification templates. Pre-drafted notification letters for the most likely incident types save critical time under the 30-day clock. Templates should be fully compliant with Reg S-P content requirements and reviewed against current state law annually. RegShield's Breach Notification Templates include these pre-drafted letters as one of the four documents generated for your firm.

5. Documentation and recordkeeping. Every incident, including incidents that were assessed and determined not to require notification, should be logged with the date of discovery, the initial assessment finding, and the rationale for any decisions made. The SEC's Rule 204-2 requires RIAs to maintain records relating to their cybersecurity program for at least five years.

Testing Your Program

A written program that has never been tested is a liability, not a protection. The amended Reg S-P expects your incident response program to be "reasonably designed" to address cybersecurity threats, and regulators interpret that to include some evidence that the program works in practice.

A tabletop exercise does not require a red team, a simulated attack, or outside consultants. A one-hour annual exercise where your team walks through a hypothetical incident scenario, using your written procedures as the guide, produces a documented test record and identifies gaps before an actual incident does.

Walk through a scenario where a former employee retained access to a cloud drive containing client records for three weeks before the access was discovered. Ask: When does the 30-day clock start? Who makes that determination? How do you identify which clients were affected? Who drafts the notification? Who reviews it? How is it sent? What records are created?

The answers, and any gaps identified, belong in your documentation. Update your procedures based on findings, sign and date the update, and store the record.

What Examiners Will Ask

Based on the SEC's examination priorities and enforcement history in the cybersecurity space, these are the questions your notification program needs to answer convincingly:

• Does your written incident response program specifically address the 30-day notification obligation?
• Does it define the trigger for starting the clock in a way that matches the "reasonably likely" standard in the rule?
• Have you experienced any incidents since your compliance date? If yes, what notifications were sent, when, and to whom?
• Can you produce copies of notifications sent and evidence that they reached affected individuals?
• Have you tested your program in the past 12 months?
• Is your program reviewed and updated at least annually, and is that review documented?

Firms that answer all six questions with documentation in hand will pass this portion of an exam. Firms that can only point to a policy binder without supporting records will not.

Where RegShield Fits

The SEC does not require you to hire outside counsel to build a compliant breach notification program. What it requires is a written program that is specific to your firm and addresses the rule's requirements. RegShield generates the four documents that together constitute a compliant program, including the Breach Notification Templates with pre-drafted client notification letters.

If you have not yet built out your notification procedures, or if your current policy predates the June 2026 compliance date and has not been updated, the 15-minute wizard at RegShield.co is the fastest path to exam-ready documentation.

---

Frequently Asked Questions

What triggers the 30-day breach notification clock under Reg S-P?

The clock starts when your firm becomes aware that unauthorized access to customer information has occurred or is reasonably likely to have occurred. You do not need certainty that data was misused, only a reasonable basis to believe it was accessed without authorization. From that moment you have no more than 30 calendar days to notify affected individuals.

Who must receive breach notification under the amended Reg S-P?

Notification must be sent to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed without authorization. Sensitive customer information includes Social Security numbers, account numbers, financial account access credentials, and similar data elements that could enable identity theft or financial harm.

Does Reg S-P require firms to notify the SEC after a breach?

The amended rule does not require direct notification to the SEC when a breach occurs. The obligation is to notify affected individuals. However, the SEC expects you to document the incident, your response, and your notifications, and examiners will review that documentation.

How does Reg S-P breach notification interact with state data breach laws?

Most states have their own data breach notification laws with separate timelines, covered data definitions, and regulator-notification requirements. Reg S-P does not preempt state law. A firm with clients in multiple states may need to comply with several state regimes simultaneously, some of which have shorter deadlines than 30 days.

What should be in a Reg S-P breach notification letter?

The amended rule requires the notice to describe the incident in general terms, the type of information involved, the date of the incident or estimated date range, the measures the firm has taken to contain the incident, and guidance for affected individuals on how to protect themselves. Notices must be written in plain language.

Can a firm delay notification under Reg S-P if law enforcement requests it?

Yes. The rule permits a brief delay if a law enforcement agency advises in writing that notification would impede a criminal investigation or jeopardize national security. The firm must document the law enforcement request and the timing of any delay.