What Does Regulation S-P Require for Investment Advisers in 2026?

What Regulation S-P covers

Regulation S-P (17 CFR Part 248) has governed how broker-dealers, investment companies, and registered investment advisers handle customer financial information since 2000. The original rule focused on privacy notices and opt-out rights. The 2024 amendments added teeth: a mandatory incident response program, specific notification timelines, and vendor oversight obligations.

The amended rule applies to every SEC-registered investment adviser. If you are registered with the SEC, this is not optional. State-registered advisers should also pay attention — many state regulators adopt SEC standards as examination benchmarks.

The written incident response program

The biggest change in the amended rule is the requirement under Rule 248.30(a) to develop, implement, and maintain a written incident response program. This is not a suggestion. The SEC expects a documented program that addresses:

• Detection. How your firm identifies unauthorized access to or use of customer information. This means logging, monitoring, and alerting — not finding out from a client that their data showed up somewhere it should not be.
• Assessment. Procedures for evaluating the nature and scope of an incident, including what data was involved, how many clients were affected, and whether the unauthorized access is ongoing.
• Containment. Steps to stop the unauthorized access and prevent further exposure. This includes isolating affected systems, revoking compromised credentials, and engaging forensic support when needed.
• Notification. Specific procedures for notifying affected individuals and, where applicable, service providers. The rule sets hard deadlines here — more on that below.
• Recovery. How your firm restores normal operations and addresses the vulnerabilities that led to the incident.

The 30-day client notification rule

When your firm determines that sensitive customer information was or is reasonably likely to have been accessed or used without authorization, you must notify each affected individual. The clock starts when you make that determination — not when the breach occurred.

The notification must happen as soon as practicable but no later than 30 days after the determination. It must include:

• A description of the incident in general terms
• The types of sensitive customer information involved
• Contact information for the firm so clients can ask questions
• Information about how affected individuals can protect themselves, including contact details for the major credit bureaus

Thirty days is the outer limit, not the target. The SEC has made clear in adopting release commentary that firms should notify as quickly as reasonably possible. If you are waiting until day 29, you are doing it wrong.

The 72-hour vendor notification requirement

Regulation S-P also requires that service provider agreements include provisions obligating the service provider to notify your firm within 72 hours of becoming aware of a breach involving your customer information. This means you need to:

• Review every existing vendor contract that involves access to customer information
• Add or amend breach notification provisions to include the 72-hour requirement
• Establish a process for receiving and acting on vendor breach notifications

If your custodian, CRM provider, email platform, or cloud storage vendor has access to client data, those contracts need to include this language. Most standard vendor agreements do not include a 72-hour notification clause. You will need to negotiate amendments or addendums.

The compliance timeline

The SEC provided an 18-month transition period for larger firms (those with $1.5 billion or more in AUM), which ended June 3, 2025. Smaller advisers — those under $1.5 billion — received a 24-month transition period ending June 3, 2026.

That deadline is not a date to start working on compliance. It is the date by which your incident response program must be written, adopted, tested, and operational. Your vendor agreements must already include the required notification provisions. Your staff must already be trained on the procedures.

What most advisers are getting wrong

1. Treating this as an IT problem

Your IT provider can help with detection and containment. They cannot write your incident response program, negotiate your vendor contracts, or notify your clients. This is a compliance obligation that requires involvement from your CCO, your legal counsel, and firm leadership.

2. Copying a template without customizing it

The SEC expects your incident response program to reflect your firm's actual operations, systems, and risk profile. A generic template downloaded from the internet will not hold up in an examination. Examiners ask staff to walk through the program and explain how it applies to their daily work. If your team cannot do that, the program is not functional.

3. Ignoring the vendor contract requirement

Many advisers have focused on the incident response program and the notification timeline but have not touched their vendor agreements. The 72-hour service provider notification requirement is part of the same rule. If your vendor contracts do not include it, you are not compliant.

4. Not testing the program

A written program that has never been tested is a document, not a program. The SEC expects tabletop exercises or simulated incident drills that demonstrate your team knows what to do, who to contact, and how to execute the notification process under pressure.

How BlackSheep helps

BlackSheep's RIA compliance platform includes incident response program templates mapped to the amended Regulation S-P requirements, vendor oversight tracking, and notification workflow management. The platform walks your firm through building a program that reflects your actual operations — not a generic document that sits in a folder.

Learn more about how the Regulation S-P module works, or start building your incident response program today.