SEC Regulation S-P: What Small RIAs Need to Know Before June 2026

If you run a small registered investment advisory firm, you have probably heard about the SEC's updated Regulation S-P requirements. You may also be hoping that if you ignore it long enough, it will go away. It will not.

The amended Regulation S-P takes full effect for smaller entities on June 3, 2026. That date is not moving. And the changes are substantial enough that "we'll get to it later" is not a viable strategy.

This article covers what changed, what you actually need to do, and how to avoid the mistakes that trip up most small firms.

What Is Regulation S-P?

Regulation S-P (formally, Rule 248.30 under the Investment Advisers Act of 1940) governs how SEC-registered investment advisers protect customer information. It was originally adopted in 2000 and has always required firms to have written policies for safeguarding customer data.

For over two decades, the original rule was fairly straightforward. Firms needed a privacy notice, an opt-out mechanism for information sharing, and reasonable safeguards for customer records. Most small RIAs met these requirements with a basic privacy policy and some common-sense data security measures.

That changed in 2023.

What Changed in the 2023 Amendments

In November 2023, the SEC adopted significant amendments to Regulation S-P. These changes reflect the reality that cybersecurity threats have evolved dramatically since the rule was first written.

The key changes fall into four areas:

Incident Response Programme

For the first time, Regulation S-P now explicitly requires a written incident response programme. This is not just a suggestion or a best practice. It is a regulatory requirement with specific elements that the SEC will look for during examinations.

Your incident response plan must address:

• Detection: How your firm identifies potential security incidents
• Assessment: How you evaluate the severity and scope of an incident
• Containment: Steps to limit damage once an incident is identified
• Recovery: Procedures for restoring normal operations
• Documentation: How you record incidents and your response to them

The SEC has been clear that a generic template pulled from the internet will not satisfy this requirement. Your plan needs to reflect your firm's actual operations, technology stack, and client base.

Breach Notification Requirements

The amended rule introduces individual breach notification obligations. If a security incident results in unauthorized access to customer information, you must notify affected individuals. There is no materiality threshold here. If customer data was compromised, notification is required.

Key requirements include:

• Notification must be provided as soon as practicable, and no later than 30 days after becoming aware that unauthorized access has occurred or is reasonably likely to have occurred
• Notifications must include specific content: the nature of the incident, the types of information involved, and the firm's contact information
• You must have pre-drafted notification templates ready to deploy, because you will not have time to draft them from scratch during an actual incident

Vendor Oversight

The amendments significantly expand requirements around third-party service provider oversight. If a vendor has access to your customer information, you need documented policies for:

• Due diligence: How you assess vendors before engaging them
• Contractual requirements: What security provisions you require in vendor agreements
• Ongoing monitoring: How you verify that vendors continue to meet your security standards
• Incident coordination: How you and your vendors work together during a security event

For most small RIAs, this is the most operationally demanding change. You likely use multiple third-party platforms: custodians, CRM systems, portfolio management software, email providers. Each one that touches customer data falls under these requirements.

Expanded Recordkeeping

The amendments broaden recordkeeping requirements to cover all of the above. You must maintain records of:

• Your written policies and procedures
• Any incidents and your response to them
• Vendor assessments and monitoring activities
• Breach notifications sent to individuals
• Training materials and evidence of staff training

These records must be maintained for the standard five-year retention period under the Advisers Act.

The Four Documents You Need

Cutting through the regulatory language, compliance with the amended Regulation S-P comes down to having four well-crafted documents:

1. Incident Response Plan

This is the most critical document. It needs to lay out a clear, step-by-step process for what happens when something goes wrong. For a small RIA, this does not need to be 50 pages long. It needs to be realistic, actionable, and specific to how your firm operates.

A good incident response plan for a small RIA typically covers:

• Designated incident response roles (even if it is just two people)
• Classification criteria for different types of incidents
• Step-by-step response procedures for common scenarios
• Communication protocols (internal and external)
• Escalation procedures
• Post-incident review process

2. Vendor Oversight Policies

This document defines how you evaluate and monitor the third-party service providers who access your client data. It should include:

• A current inventory of vendors with access to customer information
• Your due diligence process for new vendors
• Minimum security standards you require
• How frequently you review vendor compliance
• Procedures for handling vendor-related incidents

3. Breach Notification Procedures and Templates

This covers your process for notifying affected individuals when a breach occurs. It includes:

• Criteria for determining when notification is required
• Your notification timeline (within the 30-day regulatory window)
• Pre-drafted notification letter templates
• Procedures for coordinating with law enforcement if applicable
• Record-keeping requirements for notifications sent

4. Recordkeeping Procedures

This document outlines how you maintain evidence of your compliance activities:

• What records you keep and for how long
• Where and how records are stored
• Who is responsible for maintaining records
• How records are protected from tampering or loss

Common Mistakes Small RIAs Make

Having worked with small advisory firms on compliance matters, certain mistakes come up repeatedly.

Using Generic Templates Without Customisation

The SEC expects your policies to reflect your specific operations. An incident response plan that references "the firm's 24/7 security operations centre" is not credible when you are a three-person shop. Examiners notice this immediately.

Ignoring Vendor Oversight

Many small RIAs treat vendor management as someone else's problem. "Our custodian handles security" is not a compliance strategy. You are responsible for overseeing every vendor that touches your client data, regardless of how large or reputable they are.

Creating Documents and Filing Them Away

Compliance is not a one-time documentation exercise. The SEC expects you to implement your policies, train your staff on them, and test them periodically. A beautifully drafted incident response plan that no one has read is worse than useless; it creates a false sense of security.

Waiting Until the Last Minute

June 2026 will arrive faster than you think. Drafting the documents is only the first step. You also need to train staff, set up the processes described in your policies, and conduct at least one tabletop exercise. This takes time. Starting in May 2026 puts you in an extremely difficult position.

Underestimating the Scope

Some firms assume that because they are small, the requirements are somehow lighter. They are not. The SEC has explicitly stated that these requirements apply to all registered investment advisers. A firm managing $50 million in assets faces the same documentary requirements as one managing $50 billion.

What You Should Do Now

If you have not started your Regulation S-P compliance work, here is a practical path forward:

1. Inventory your data and vendors. Before you can write policies, you need to know what customer information you hold, where it lives, and who has access to it. This includes every software platform, cloud service, and third-party provider.

2. Draft your four core documents. Use a structured approach, whether that means working with compliance counsel, using a purpose-built tool like RegShield, or both. The key is that the documents reflect your actual operations.

3. Review with counsel. Even if you use templates, have a qualified attorney review your final documents. This is not about following the letter of the law; it is about ensuring your policies will hold up during an SEC examination.

4. Implement and train. Distribute the policies to your team. Conduct training sessions. Make sure everyone knows their role in the incident response plan and understands the vendor oversight requirements.

5. Test your plan. Run a tabletop exercise simulating a data breach. Walk through your incident response plan step by step. Identify gaps and fix them before a real incident forces you to find them the hard way.

6. Document everything. Keep records of your training, your tabletop exercises, your vendor assessments, and any policy updates. This documentation is what SEC examiners will ask for.

The Bottom Line

The amended Regulation S-P is not optional, and it is not something you can address with a single afternoon of paperwork. But it is also not as overwhelming as it might seem. For most small RIAs, the path to compliance is straightforward: understand the requirements, create the right documents, implement them, and maintain records.

The firms that struggle are the ones that wait too long or treat compliance as a checkbox exercise. The firms that do well are the ones that view their compliance documents as living tools that actually improve their security posture.

June 3, 2026 is coming. The question is not whether you need to comply. It is whether you will be ready.