The Reg S-P Deadline Has Passed | Is Your Firm Ready?
Vigilant Insights
Introduction
As of June 3, 2026, RIAs with less than $1.5 Billion in Assets Under Management (AUM) are now required to comply with the SEC’s amended Regulation S-P (“Reg S-P”) requirements. Larger entities over $1.5 Billion in AUM were already subject to the amendments on December 3, 2025.
The amendments were adopted to strengthen the protection of investors’ nonpublic personal information and reflect the evolving cybersecurity landscape facing Firms. The revised rules require Firms to implement comprehensive incident response programs, establish procedures to detect and respond to unauthorized access to customer information, and provide customer notifications following certain data breaches.
Among the most significant changes are the requirements to notify affected customers of qualifying data breaches within 30 days and to ensure Third-Party Service Providers report security incidents to the Firm within 72 hours. These requirements place greater emphasis on both internal cybersecurity controls and vendor oversight programs.
For many Firms, the implementation deadline serves as a reminder that cybersecurity compliance extends beyond technology and requires on-going governance, documentation, and vendor management efforts.
Vigilant Director, Laura Arnott, CFA, CIPM, IACCP, CTPRP, CRISC, RCP, was recently quoted in Financial Advisor IQ providing her insights pertaining to Reg S-P which can be found below.
Laura Arnott Insights
Laura believes one of the most commonly overlooked aspects of the amended Reg S-P requirements is the due diligence and oversight of Third-Party Vendors.
She emphasized that Firms must ensure Vendors with access to customer information maintain appropriate safeguards to protect that data and have processes in place to report suspected breaches promptly. While larger Vendors are generally expected to have mature compliance programs capable of meeting the 72-hour notification requirement, smaller Vendors may not be as prepared.
To address this risk, Laura suggests that Firms conduct regular reviews of Third-Party Service Providers and engage with Vendors at least annually to confirm continued compliance with Reg S-P obligations.
She also noted that Firms should expect regulatory scrutiny now that the compliance deadline has passed. Based on observations from the initial compliance period for larger Firms, the SEC may begin requesting information regarding Firms’ implementation efforts shortly after the effective date.
While the extent of future enforcement activity remains uncertain, Laura believes the SEC is likely to focus initially on evaluating the adequacy of Firms’ written policies, procedures, and compliance frameworks before pursuing formal enforcement actions.
Vigilant’s Conclusion
The amended Reg S-P requirements represent an enhancement of the SEC’s expectations regarding the protection of customer information and cybersecurity preparedness. Firms should be sure they have documented incident response procedures, breach notification protocols, and robust oversight of Third-Party Vendors that handle sensitive client data.
In addition to reviewing internal policies and procedures, Firms should evaluate vendor management programs, confirm contractual reporting obligations, and maintain documentation demonstrating compliance with the new requirements.
As regulators increasingly focus on cybersecurity governance and operational resiliency, Firms that proactively assess and strengthen their compliance programs will be better positioned for regulatory examinations and evolving cybersecurity risks.
Vigilant works with a wide variety of Firms to evaluate cybersecurity compliance programs, enhance vendor oversight processes, and prepare for regulatory examinations related to Reg S-P and other SEC requirements. To learn more about our Compliance Services and how we can help, schedule a call today by clicking on the button below.