The SEC's amended Regulation S-P required a written Incident Response Program and 30-day breach notification procedures by December 3, 2025 for larger firms and June 3, 2026 for all other covered firms. Both deadlines have passed. We build the documentation your examiners require.
SEC Regulation S-P is a federal rule requiring registered investment advisers, broker-dealers, investment companies, and transfer agents to protect customer financial information and notify affected customers within 30 days of discovering unauthorized access. The amended rule — adopted May 2024, with compliance required by December 3, 2025 (larger entities) and June 3, 2026 (smaller entities) — mandates a written Incident Response Program (IRP), annual risk assessments, and formal vendor oversight requirements.
~2,000
SEC-registered investment advisers headquartered in NYC, all subject to Reg S-P (SEC Form ADV data, June 2026)
30 days
Maximum window to notify customers of a breach
5–7 wks
Typical time to documentable compliance from engagement start
Jun 2026
Final Reg S-P compliance deadline (Dec 3, 2025 for larger firms; Jun 3, 2026 for all others) — now passed
The amended rule imposes six core requirements on covered entities. Each must be addressed in writing — oral policies and informal procedures do not satisfy the rule.
Documented policies and procedures for detecting, responding to, and recovering from unauthorized access to customer information. Must be in writing and reasonably designed.
A named individual responsible for implementing and supervising the IRP. The coordinator must have authority and resources to execute the program.
Written notice to affected customers within 30 days of breach discovery, unless the firm determines the information was not accessed or misused.
Formal, documented assessment of unauthorized access risks to customer financial data. Must be conducted at least annually and used to update the IRP.
Contractual safeguards for third parties with access to customer data. Firms must assess vendor security controls and maintain written agreements.
Documented security governance and oversight. The IRP and its outcomes must be reported to senior management or the board at appropriate intervals.
Fixed-price engagements with clear deliverables. Choose the tier that matches your current compliance gap — or start with the assessment and scale from there.
Timeline: 2 weeks
Timeline: 3 weeks
Timeline: Ongoing
The compliance window has closed. Firms that have not built their written programs are already at risk in their next SEC examination cycle.
In its April 2019 Regulation S-P Risk Alert, the SEC’s exam staff (then OCIE, now the Division of Examinations) flagged written incident response plans missing role assignments, required response actions, and vulnerability assessments among the most common Safeguards Rule deficiencies at advisers and broker-dealers. The Division’s FY2026 exam priorities make incident response programs under the amended rule an explicit review area. Firms without documented programs face heightened scrutiny.
All compliance deadlines have passed (December 2025 for larger entities; June 2026 for all other covered firms). The SEC Division of Examinations named Reg S-P compliance a 2026 examination priority, and the SEC has previously charged firms under the prior version of the rule for inadequate safeguards and breach response.
Many NYC financial firms are subject to both Reg S-P and NYDFS 23 NYCRR 500. A well-designed compliance program can satisfy the overlapping requirements of both regulations simultaneously — avoiding duplicated effort and cost.
Dual regulation: Many NYC investment advisers hold both an SEC registration and a New York DFS license, making them subject to both Reg S-P and NYDFS 23 NYCRR 500. We design programs that satisfy both simultaneously, reducing duplicated effort and cost.
We work with SEC-registered financial firms of all sizes in New York City. Our engagements are sized to match the complexity of your firm — from single-advisor RIAs to multi-strategy fund managers.
We will review your current documentation and controls against the Reg S-P requirements and tell you exactly what you have, what you are missing, and what examiners are most likely to ask for — at no charge, as part of an initial consultation.
Schedule a Free ConsultationWe review your current documentation, identify your gaps against the Reg S-P requirements, and give you a fixed-timeline plan to build a written IRP that satisfies SEC examination standards.