The second and final compliance phase of the amended Securities and Exchange Commission Regulation S-P took effect on June 3, 2026, extending expanded data protection obligations to smaller registered entities. Smaller registered investment advisers, including those with less than $1.5 billion in assets under management, and certain broker-dealers are now subject to the same heightened customer information safeguarding requirements that applied to larger firms during the initial phase. Firms within scope should confirm that their compliance programs are fully operationalized and capable of withstanding regulatory scrutiny.
At the core of the amended rule is the requirement that covered firms maintain a written incident response program designed to detect, respond to, and recover from unauthorized access to or use of customer information. The program must address how the firm assesses the nature and scope of any incident, contains and controls the incident, and takes appropriate measures to prevent further unauthorized access. These written policies and procedures are expected to be tailored to the size, complexity, and risk profile of the firm.
The amendments also impose a customer notification obligation, requiring covered firms to notify affected individuals of a breach involving sensitive customer information within 30 days of becoming aware of the incident. In addition, firms must exercise meaningful oversight of service providers that receive, maintain, or process customer information, including through contractual measures designed to ensure timely notification of breaches at the vendor level. Expanded recordkeeping obligations require firms to document their compliance efforts, including incident response activities and service provider oversight.
The SEC Division of Examinations has identified Regulation S-P compliance as a fiscal year 2026 examination priority, signaling that smaller firms should anticipate inquiries into the adequacy of their written programs, breach response readiness, vendor management practices, and supporting documentation. Firms that have not yet finalized their programs, completed staff training, or reviewed third-party agreements should prioritize these steps promptly. Documented testing of incident response procedures and clear escalation protocols will be particularly important in demonstrating operational readiness.
This client alert is provided for general informational purposes only and does not constitute legal advice. Firms should consult counsel to evaluate how the amended Regulation S-P requirements apply to their specific circumstances.