Skip to Main Content




Quick Results
View More Results
Search
  • Home
  • Publications
  • Regulation S-P: June 3, 2026 Compliance Deadline for Smaller Investment Advisers
Publications

Regulation S-P: June 3, 2026 Compliance Deadline for Smaller Investment Advisers

February 24, 2026
Share
LinkedIn Twitter Share Facebook

With the June 3, 2026 compliance deadline approaching, registered investment advisers with less than $1.5 billion in assets under management should be taking steps now to ensure they can meet the SEC’s amended requirements under Regulation S-P.

The Securities and Exchange Commission (SEC) adopted certain noteworthy amendments to Regulation S-P on May 16, 2024, which marked the first significant amendments to Regulation S-P since it was adopted by the SEC in 2000.

In its adopting release,1 the SEC stated that the amendments were necessary "to provide enhanced protection of customer or consumer information and help ensure that customers of covered institutions receive timely and consistent notifications in the event of unauthorized access to or use of their information." Then Chair of the SEC, Gary Gensler, noted in his statement regarding the amendments that since the initial adoption of Regulation S-P, ". . . the nature, scale, and impact of data breaches has transformed substantially. These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers' financial data."2

The amendments became effective on August 2, 2024, and while "larger entities" (i.e., investment advisers with at least $1.5 billion in assets under management, investment companies with at least $1 billion in net assets, and larger broker-dealers) faced a compliance date of December 3, 2025, with respect to the amendments, "smaller entities," such as registered investment advisers with less than $1.5 billion in assets under management (Smaller Investment Advisers), must comply with the amendment by June 3, 2026.

Next Steps for Smaller Investment Advisers

With the June 3, 2026 compliance deadline fast approaching, Smaller Investment Advisers should make sure that they take adequate steps to seek to comply with the amendments to Regulation S-P, including reviewing their current policies and procedures to determine whether they adequately cover the amendments; updating policies and procedures where gaps in compliance have been identified; reviewing vendor contracts to determine whether amendments will be needed (or written assurances requested); and training staff where appropriate.

The SEC's Division of Examinations has specifically identified Regulation S-P compliance as a 2026 examination priority, so Smaller Investment Advisers should prioritize these efforts now to ensure readiness for potential examination.

Certain Material Requirements for Smaller Investment Advisers

1. Incident Response Program

The amendments require Smaller Investment Advisers to "develop, implement, and maintain written policies and procedures that include an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information." The program must include procedures to:

  • assess the nature and scope of any incident involving unauthorized access to or use of customer information;
  • take appropriate steps to contain and control the incident to prevent further unauthorized access or use; and
  • clearly and conspicuously notify affected individuals whose sensitive customer information3 was, or is reasonably likely to have been, accessed or used without authorization, which must be provided as soon as reasonably practicable, but not later than 30 days after the Smaller Investment Adviser becomes aware of the unauthorized access or use4 or reasonable likelihood of unauthorized access or use.5

The SEC intentionally provided flexibility in how Smaller Investment Advisers design their incident response programs, recognizing that "[c]overed institutions need the flexibility to develop policies and procedures suited to their size and complexity and the nature and scope of their activities."

2. Service Provider Oversight

Smaller Investment Advisers also must establish, maintain, and enforce written policies and procedures that are reasonably designed to require oversight of service providers who have access to customer information. This includes:

  • due diligence in selecting service providers;
  • ongoing monitoring of service provider performance; and
  • ensuring that service providers notify the Smaller Investment Adviser within 72 hours after becoming aware that a breach has occurred that results in unauthorized access to customer information.

3. Recordkeeping Requirements

Smaller Investment Advisers must make and maintain written records documenting their compliance with Regulation S-P, including:

  • copies of the Smaller Investment Adviser's written policies under both the safeguards and disposal portions of the amendments;
  • service provider agreements or records documenting oversight of service providers;
  • records of each instance of unauthorized access detected, and actions taken with respect to such unauthorized access; and
  • documentation of any determinations made that customer notification was not required.

If you have questions about the Regulation S‑P amendments or would like guidance on preparing for the June 3 compliance deadline, please reach out to Paul J. Foley, Cole Beaubouef, Kiki Scarff, or John M. Faust.

---

1 Available at https://www.sec.gov/files/rules/final/2024/34-100155.pdf.

2 Statement on Amendments to Regulation S-P (May 16, 2024), available at https://www.sec.gov/news/statement/gensler-reg-s-p-05162024.

3 "Sensitive customer information" is "any component of customer information[,] alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information." Examples include social security numbers, driver's license numbers, passport numbers, taxpayer identification numbers, biometric records, financial account numbers in combination with access codes or security questions, and user names combined with passwords, access codes, or mother's maiden name.

4 Seeking to minimize duplicative notices, the amendments only require a Smaller Investment Adviser to provide notice "where unauthorized access to or use of sensitive customer information has occurred at the covered institution or one of its service providers that is not itself a covered institution."

5 Seeking to minimize duplicative notices, the amendments only require a Smaller Investment Adviser to provide notice "where unauthorized access to or use of sensitive customer information has occurred at the covered institution or one of its service providers that is not itself a covered institution."

Subscribe to
Publications

Authors

 
Paul J. Foley
T: 336.358.6853
  Email Professional
 
Cole Beaubouef
T: 973.241.3822
  Email Professional
 
Kiki Scarff
T: 984.844.7932
  Email Professional
 
John M. Faust
T: 202.508.3466
  Email Professional

Related Practices

Have Questions?
Let's Talk!

To discuss how this topic could affect
your company, click above to email us.

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept