When investment advisers search for the SEC cybersecurity rule, they often find two separate rules, two different release numbers, and a lot of content written for public companies rather than RIAs.
This matters. The wrong answer costs you a deficiency letter.
There are two major SEC cybersecurity frameworks. One applies to your RIA. One does not. This article explains the difference, walks through what your firm actually has to do under Regulation S-P, and covers what SEC examiners are looking for now that the rule is in force.
Two SEC Cybersecurity Rules: Which One Governs Your RIA?
In 2023 and 2024, the SEC adopted two separate cybersecurity rulemakings. They address different registrant types and contain different requirements.
Rule 1: The Public Company Cybersecurity Disclosure Rule (Release No. 33-11216)
Adopted in July 2023, this rule requires public companies -- those that file with the SEC under the Securities Exchange Act, primarily publicly traded companies -- to:
- Report material cybersecurity incidents on Form 8-K within four business days of determining materiality
- Disclose cybersecurity risk management processes in annual Form 10-K filings
- Describe board-level cybersecurity oversight in annual reports
This rule does not apply to investment advisers. If you are an SEC-registered RIA advising private clients or funds, you are not a public company filing 8-Ks, and this rule has nothing to do with your compliance program.
Rule 2: The Amended Regulation S-P (Release No. 34-100155)
Adopted in May 2024 and fully in force as of June 3, 2026, the amended Regulation S-P governs investment advisers registered with the SEC. This is the rule that applies to your firm.
Reg S-P has existed in some form since 2000, but the 2024 amendments substantially expanded its requirements. The amendments added a formal incident response program requirement, a 30-day customer breach notification mandate, service provider oversight requirements, and enhanced recordkeeping obligations.
If you are an SEC-registered investment adviser, Reg S-P is your cybersecurity compliance obligation.
What the SEC Cybersecurity Rule Actually Requires for Investment Advisers
Regulation S-P is structured around five required program elements. Each must be addressed in written policies and procedures. Generic, off-the-shelf language fails examinations. The policies must reflect your actual firm.
1. Incident Response Program
Your incident response program must be documented in writing and must cover four phases: detection, classification, response, and recovery.
Detection procedures address how your firm identifies unauthorized access to customer information. This includes monitoring of systems with access to client data, procedures for identifying phishing attempts or unauthorized logins, and defined roles for staff who receive security alerts.
Classification procedures describe how your firm determines whether a security event constitutes a qualifying incident under Reg S-P. The standard is "reasonably likely unauthorized access to customer information." Your policies must explain how staff make that determination and who has authority to escalate.
Response procedures cover containment, evidence preservation, regulatory notification assessment, and law enforcement coordination. The SEC does not require notification to regulators under Reg S-P (the public company rule has the 4-day 8-K requirement; Reg S-P does not), but your procedures should document how you assess your obligations under state law.
Recovery procedures address how the firm restores normal operations, what documentation is required after an incident, and how the incident informs future risk assessments.
2. Service Provider Oversight Program
The 2024 amendments added formal requirements for managing vendors with access to customer information. Your service provider oversight policy must cover:
Initial due diligence: Before engaging a vendor that will access, process, or store customer information, your firm must conduct written security due diligence. This means requesting and reviewing the vendor's SOC 2 Type II report or equivalent security assessment, evaluating their incident history, and documenting your review.
Contractual requirements: Contracts with covered service providers must include specific cybersecurity provisions: the vendor's obligation to implement appropriate safeguards, the vendor's obligation to notify your firm of a security incident within a defined timeframe (typically 72 hours or similar), your firm's right to audit, restrictions on subcontracting to parties with access to your client data, and data return or destruction requirements on contract termination.
Ongoing monitoring: Annual re-assessment of key vendors, review of updated security certifications, and documented follow-up on any material security incidents affecting the vendor.
3. Information Safeguards
This element covers the technical and administrative controls your firm uses to protect customer information. Required safeguards include encryption of customer data at rest and in transit, multi-factor authentication for systems with access to customer records, access controls limiting employee access to customer data on a need-to-know basis, and documented procedures for device management and remote access.
Reg S-P does not mandate specific technologies. It requires safeguards appropriate to the nature and scope of your firm's activities. A sole-proprietor RIA using cloud-based portfolio management software has different safeguard requirements than a firm running on-premise servers, but both must document what they have in place and why it is sufficient.
For a detailed breakdown of the controls that satisfy this requirement, see our guide to Reg S-P cybersecurity controls for RIAs.
4. Customer Breach Notification
The most operationally demanding addition in the 2024 amendments is the 30-day breach notification requirement.
When your firm determines that a qualifying incident -- unauthorized access reasonably likely to cause substantial harm -- has affected customer information, you must provide written notification to each affected customer within 30 calendar days of making that determination.
The notification must include: a description of the incident, the type of customer information involved, the date or date range of the incident if known, contact information for customers to ask questions, and a description of what your firm is doing in response.
Pre-drafting your notification letters before an incident is not optional -- it is the only way to meet a 30-day deadline while simultaneously managing the incident. Your breach notification templates should be reviewed and updated annually and whenever your firm's data handling practices change.
For a complete guide to the notification requirement, see Reg S-P breach notification requirements explained.
5. Recordkeeping Procedures
Your recordkeeping procedures must address three dimensions:
Retention: What categories of customer records does your firm maintain, and for how long? Investment advisers are subject to the five-year retention requirement under Rule 204-2. Your Reg S-P recordkeeping policy should identify which records fall within the customer information definition and confirm they are within the retention schedule.
Access controls: Who has access to retained customer records, how is that access logged, and how are access rights revoked when employees depart?
Disposal: When customer records reach the end of their retention period, how does your firm ensure secure disposal? This includes both electronic records (overwriting standards or certified deletion) and physical records (cross-cut shredding or certified destruction services).
Why the SEC Cybersecurity Rule Is an FY2026 Examination Priority
The SEC's Division of Examinations publishes annual examination priorities. Reg S-P compliance appears explicitly in the FY2026 priorities document, making it one of the named areas where examiners will focus attention in the current examination cycle.
What this means practically: if your RIA receives an examination notice in 2026 or 2027, expect a Reg S-P document request as part of the initial information request. The document request will ask for your written policies, evidence of your most recent risk assessment, vendor contracts, any incident records, and training documentation.
The most common deficiency findings from prior Reg S-P examinations:
- Policies not tailored to the firm. Examiners reject generic templates that could apply to any firm. They look for specific references to your actual technology vendors, your actual custodians, your actual personnel roles.
- No documented risk assessment. The rule does not specify a risk assessment format, but the absence of any written risk assessment is a consistent deficiency finding.
- Vendor contracts missing required provisions. Existing contracts with cloud storage providers, CRM platforms, and portfolio management software often predate the 2024 amendments and lack breach notification timelines and subcontractor restrictions.
- Notification procedures without 30-day compliance. Policies that say "notify customers as soon as practicable" without a specific timeline fail the 2024 amendment requirement.
- Recordkeeping policies with no disposal procedures. Firms that document retention schedules but omit disposal procedures are consistently cited.
For a detailed walkthrough of the examination process and how to prepare, see what SEC examiners look for in a Reg S-P examination.
The Cybersecurity Risk Assessment: Where to Start
The practical entry point for building a Reg S-P cybersecurity program is a written cybersecurity risk assessment. This document does three things:
- It identifies the categories of customer information your firm collects, processes, and stores.
- It maps the systems and third parties with access to that information.
- It identifies the threats and vulnerabilities relevant to your firm's operations and documents the controls you have in place (or plan to implement) to address them.
The risk assessment is the foundation on which your other policies sit. Examiners use it to test whether your written policies reflect your actual operations. A policy that lists controls not mentioned in your risk assessment raises questions. A risk assessment that identifies vulnerabilities not addressed in your safeguard procedures raises others.
For a step-by-step guide to completing this assessment, see how to conduct a Reg S-P cybersecurity risk assessment for your RIA.
What an Investment Adviser Cybersecurity Program Looks Like in Practice
For a small RIA -- a sole-proprietor or two-person firm using cloud-based software and a third-party custodian -- a compliant Reg S-P cybersecurity program consists of four written documents, a vendor contract review, and an annual training and testing cadence.
The four written documents:
- An incident response program covering detection, classification, response, and recovery procedures specific to your firm.
- A service provider oversight policy covering initial due diligence and contractual standards for vendors with access to client data.
- Breach notification templates: pre-drafted customer letters ready to deploy within the 30-day clock, with your firm's information populated in advance.
- Recordkeeping procedures covering retention, access, and disposal of customer records.
The vendor contract review:
Review all existing contracts with vendors that access, process, or store customer information. For each contract missing the required cybersecurity provisions, prepare an amendment or obtain updated terms. Most major custodians and software providers have updated their standard agreements to include these provisions -- but you must confirm in writing and document the review.
The annual cadence:
After the initial build, Reg S-P requires that your policies remain current. This means an annual review and update of all four documents, an updated risk assessment, and annual staff training. Many firms fold this into their Rule 206(4)-7 annual compliance review. For guidance on that integration, see Reg S-P and your annual Rule 206(4)-7 compliance review.
Getting Your Reg S-P Cybersecurity Program in Place
The four required documents for Reg S-P -- Incident Response Program, Service Provider Oversight Policy, Breach Notification Templates, and Recordkeeping Procedures -- take most compliance consultants several weeks and $3,000 to $15,000 to produce.
RegShield generates all four documents in about 15 minutes. You complete a short intake questionnaire about your firm (personnel, technology vendors, custodians, data handling practices), and RegShield produces examination-ready PDFs customized to your specific firm. One-time $299, available immediately.
Frequently Asked Questions
Which SEC cybersecurity rule applies to investment advisers?
Investment advisers registered with the SEC are governed by Regulation S-P (Release No. 34-100155), not the SEC's public company cybersecurity disclosure rule (Release No. 33-11216). Reg S-P requires written policies covering incident response, service provider oversight, 30-day breach notification, and recordkeeping. The public company rule governs reporting companies and does not apply to your RIA.
Is the SEC cybersecurity rule for investment advisers now in effect?
Yes. The amended Regulation S-P compliance date for smaller investment advisers was June 3, 2026. All SEC-registered investment advisers are required to comply in full. The SEC's Division of Examinations has named Reg S-P compliance a named priority for FY2026 examinations.
What are the five required elements of the Reg S-P cybersecurity program?
Reg S-P requires written policies and procedures covering five elements: (1) an incident response program; (2) a service provider oversight program; (3) information safeguards including encryption and access controls; (4) customer breach notification procedures enabling written notice within 30 days of a qualifying incident; and (5) recordkeeping procedures covering retention, access, and disposal of customer data.
Does the SEC cybersecurity rule apply to small RIAs with few clients?
Yes. Regulation S-P contains no size-based exemption. The four required documents are required regardless of firm size. A sole-proprietor RIA with 10 clients has the same written policy obligations as a firm with 500 clients.
What does the SEC examine for cybersecurity compliance?
During a Reg S-P examination, SEC staff typically request your written cybersecurity policies, your most recent cybersecurity risk assessment, vendor contracts with security provisions, any incident logs, breach notification procedures, and staff training records. The most common deficiency findings are policies not tailored to the firm, missing risk assessments, vendor contracts lacking required provisions, notification procedures without a 30-day timeline, and recordkeeping policies without disposal procedures.
How do I quickly get a Reg S-P cybersecurity program in place for my RIA?
RegShield generates the four required Reg S-P documents in approximately 15 minutes. You complete a short intake questionnaire about your firm, and RegShield produces examination-ready PDFs customized to your specific operations. One-time $299 with no annual subscription.
Frequently Asked Questions
Rees Calder
Rees is the founder of RegShield and CEO of Levity Leads Ltd. He works with small registered investment advisers to simplify SEC compliance, with a focus on making Regulation S-P requirements accessible and actionable for firms that lack dedicated compliance departments.