When is the SEC Reg S-P compliance deadline for small RIAs?

June 3, 2026. Larger entities with $1.5 billion or more in total assets had to comply by December 3, 2025. Most RIAs fall into the June 2026 group.

What changed in the 2024 Reg S-P amendments?

The SEC added four major requirements: a written incident response program, 30-day breach notification to affected individuals, 72-hour vendor notification clauses in contracts, and expanded scope covering customer information received from other financial institutions.

What happens if my RIA misses the Reg S-P deadline?

The SEC can bring enforcement actions including censure, cease-and-desist orders, and civil monetary penalties exceeding $200,000 per violation for individuals and $2 million per violation for entities.

March 15, 2025·8 min read

The SEC Reg S-P Deadline Is June 3, 2026. Here's What That Actually Means for Your Firm.

The SEC rewrote the Safeguards Rule in May 2024. If you manage money and you're registered with the SEC, you have until June 3, 2026 to comply. That sounds like plenty of time until you look at what's actually required.

What changed?

Regulation S-P has been around since 2000. It started as a privacy-and-safeguards rule under the Gramm-Leach-Bliley Act, and for most of its life, the Safeguards Rule (Rule 248.30) said you needed "written policies and procedures" to protect customer information. That was it. Broad, vague, and open to interpretation.

The May 2024 amendments (SEC Release No. 34-100155) changed that. The SEC got specific. Here's what's new:

Written incident response program. Not a suggestion. Not a best practice. A regulatory requirement. Your firm needs a program that can detect unauthorized access to customer information, contain it, and recover from it.
30-day breach notification. If customer information is accessed without authorization (or "reasonably likely" to have been), you have 30 days from when you become aware to notify affected individuals. The notice has to describe what happened, what information was involved, how to reach the FTC, and whether you're offering credit monitoring.
72-hour vendor notification. Your service providers must contractually agree to tell you about security incidents within 72 hours. Not a handshake. Not "as soon as practicable." 72 hours, in writing.
Expanded scope. The rule now covers customer information received from other financial institutions, not just information you collected yourself. And it extends protections to certain "consumers" (people in non-continuing relationships), not just "customers."
Record-keeping. All compliance activities must be documented and retained, consistent with your books-and-records obligations under Advisers Act Rule 204-2.

Who has to comply?

If you are an SEC-registered investment adviser, this applies to you. Full stop. It also applies to broker-dealers and investment companies, but if you're reading this, you're probably an RIA.

State-registered advisers (those below the SEC registration threshold) are not covered by Reg S-P, though many states have their own requirements that look similar.

The deadline depends on your size. Larger entities ($1.5 billion or more in total assets) already had to comply by December 3, 2025. Everyone else has until June 3, 2026. Most RIAs fall into that second group.

What happens if you miss it?

The SEC can bring enforcement actions for non-compliance. Penalties include censure, cease-and-desist orders, disgorgement, and civil fines that can exceed $200,000 per violation for individuals. For entities, that number goes up to $2 million per violation.

But fines are only part of it. If you have an incident and no incident response plan, you are also explaining yourself to clients, your E&O carrier, and probably a reporter.

How to get ready (without losing your mind)

June 2026 is closer than it sounds. Here's what to focus on, roughly in order:

1. Run a gap analysis

Compare your current Written Information Security Plan against the new requirements. Pay attention to the incident response program mandate and the vendor notification requirement. If you don't have an IRP at all, that's your biggest gap.

2. Build (or rebuild) your incident response plan

The SEC wants four things: detection, containment, notification, and recovery. Your plan should spell out who does what, who gets called first, and how you decide whether notification is required. Then test it. A tabletop exercise over lunch counts. A document nobody has read does not.

3. Renegotiate vendor contracts

Every vendor that touches customer information needs the 72-hour notification clause in their contract. Start with your biggest vendors: your custodian, your CRM, your portfolio management system, your cloud provider. This takes time. Vendors push back. Start now.

4. Set up your notification workflow

If something happens, you need a process for notifying affected individuals within 30 days. That means templates, contact lists, and a decision tree for the "no substantial harm" exception. Build it before you need it.

5. Document everything

The SEC doesn't just want policies. They want evidence that those policies are implemented. Training records, tabletop exercise results, vendor due diligence files, contract amendments. If it's not documented, it didn't happen.

Don't forget about state laws

Reg S-P's 30-day notification requirement does not preempt state breach notification laws. You still have to comply with every state law that applies to your clients. Some states require notice in as few as 30 days. Others give you 60 or 90. Map your obligations under both regimes so you're not caught off guard.

So where does that leave you?

The 2024 amendments turned Reg S-P from a vague directive into specific requirements the SEC can actually enforce. If you're an SEC-registered RIA, you need an incident response program and vendor notification contracts. You need a breach notification process. All of it documented and tested by June 3, 2026.

You can build it yourself, hire a consultant, or use a platform that was built for exactly this. Here's how BlackSheep handles it.