Feature Data Privacy
Amended Regulation S-P: The 30-Day Breach Notification Rule That Now Applies to Every Investment Adviser and Broker-Dealer
The SEC's 2024 amendment to Regulation S-P created a mandatory 30-day customer breach notification requirement for investment advisers, broker-dealers, and investment companies. Smaller entities just passed their June 3, 2026 compliance deadline. Here's what the rule actually requires — and the three operational gaps most firms haven't closed.
Table of Contents
TL;DR:
- The SEC’s May 2024 amendment to Regulation S-P requires registered investment advisers, broker-dealers, investment companies, and transfer agents to notify affected customers within 30 days of a breach of their nonpublic personal information.
- Larger entities (RIAs with $1.5B+ AUM, larger broker-dealers) had a December 3, 2025 deadline. Smaller entities just hit their June 3, 2026 deadline — two weeks ago.
- Three operational requirements are now active: a written incident response program, a 30-day customer notification process, and a requirement that service providers notify you within 72 hours of a breach.
- Reg S-P is separate from and in addition to GLBA Regulation P (annual privacy notices) — common confusion, separate obligations.
June 3, 2026 was a quiet deadline for an important rule.
If your registered investment advisory firm manages less than $1.5 billion in AUM, that was your compliance deadline for the SEC’s amended Regulation S-P — the first time the SEC has required investment advisers and broker-dealers to have a written incident response program and notify customers within 30 days of a data breach affecting their nonpublic personal information.
The deadline came and went two weeks ago. OCIE examinations are already incorporating Regulation S-P compliance reviews, and the gap between what the rule requires and what most small and mid-size firms have built is wider than most practitioners realize.
What Is the Amended Regulation S-P and Why Now?
Regulation S-P was originally adopted in 2000 to implement privacy and safeguards requirements for SEC-registered broker-dealers, investment advisers, investment companies, and transfer agents under the Gramm-Leach-Bliley Act. The original rule required firms to adopt safeguards and limit the disclosure of customer nonpublic personal information — but it predated most of the threat landscape that practitioners deal with today.
The SEC adopted amendments on May 16, 2024, adding three substantial new requirements to an existing framework that had been largely unchanged for nearly 25 years:
- A mandatory written incident response program
- A 30-day customer notification obligation when customer information is compromised
- A service provider oversight requirement, including a 72-hour notification from your service providers
The amendments apply to the same covered institutions as the original rule: SEC-registered broker-dealers, registered investment advisers, registered investment companies (including mutual funds), registered transfer agents, and funding portals.
Who Is — and Isn’t — Covered
This is a common source of confusion because multiple rules use similar language for different populations.
Covered by amended Regulation S-P:
- SEC-registered investment advisers (regardless of AUM)
- SEC-registered broker-dealers
- Registered investment companies (mutual funds, closed-end funds, ETFs)
- Registered transfer agents
- SEC-registered funding portals
Not covered by amended Regulation S-P:
- Banks and bank holding companies — they have analogous obligations under their primary federal banking regulators’ rules, including the GLBA Safeguards Rule and GLBA Regulation P requirements
- State-registered investment advisers — not SEC-registered, not in scope, though state-level analogues may apply
- Exempt reporting advisers — generally not covered by the full Regulation S-P framework
If you’re a dual-registrant (registered as both a broker-dealer and an investment adviser), you’re covered on both sides. The requirements apply to all your customer-facing activities.
Requirement 1: Written Incident Response Program
Covered institutions must adopt written policies and procedures for an incident response program. The amendment specifies what that program must address:
- Assessment of which information systems and data assets contain customer information
- Detection controls to identify unauthorized access or use
- Defined response procedures covering containment, investigation, and remediation
- Recovery procedures to restore systems and data
- Customer notification procedures (see below)
- Post-incident review and program improvement processes
The written program requirement is foundational — the 30-day notification obligation and the service provider notification requirement both depend on having documented processes that your team can execute under pressure. An incident response program that exists only in the CISO’s head, or in a decade-old document that predates cloud adoption and remote work, does not satisfy the amendment.
SEC examination staff reviewing Reg S-P compliance will ask to see the written program, will review whether it addresses all required elements, and will assess whether firm personnel are trained on it. A common exam gap is a program that looks adequate on paper but has never been tested — no tabletop exercise, no walkthrough with the notification process, no evidence that the 30-day clock has been operationalized.
Requirement 2: The 30-Day Customer Notification
When a breach of customer information occurs — or is “reasonably likely” to have occurred — covered institutions must notify affected customers as soon as practicable, and no later than 30 days from awareness of the event.
What triggers the clock: Awareness that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. This is not a confirmed-breach standard. You don’t need a completed forensic investigation before the clock starts. The moment a reasonable assessment concludes that customer information was likely accessed without authorization, the 30-day window opens.
This matters operationally. Firms that wait for a full forensic report before characterizing an event as a potential breach will routinely find that their 30-day window has already been running — and may have partially expired — by the time they engage the notification process.
What the notification must include:
- A clear description of what happened
- The types of customer information affected
- What steps the firm has taken or is taking to address the incident
- What steps customers can take to protect themselves
- Contact information for customers to get more information or ask questions
Who gets notified: Affected customers whose information was compromised. If you cannot identify specifically which customers were affected because the breach involved a system that stored all customer records, the obligation extends to all customers whose data was in that system.
Format requirements: The SEC’s small entity compliance guide specifies that notification must be provided in writing, in plain language, and by means designed to reach the affected customer — which for most advisers and broker-dealers means electronic notice to the email address on file, with written notice by first-class mail as an alternative or supplement.
Requirement 3: Service Provider Oversight and 72-Hour Notification
The amendment creates an explicit contractual obligation: covered institutions must require their service providers to notify them within 72 hours of discovering a breach of customer information held on the covered institution’s behalf.
“Service provider” in this context means any third party that accesses, maintains, processes, or otherwise handles customer information on behalf of the covered institution. This encompasses:
- Custodians and clearing firms
- Portfolio management software providers
- CRM and client portal vendors
- Document management and archiving services
- Cloud storage and infrastructure providers
- Third-party administrators
The practical implication: existing service provider agreements that predate the amendment need to be reviewed and updated to include the 72-hour notification obligation explicitly. The amendment doesn’t grandfather existing contracts — the obligation is effective now, regardless of when the contract was signed.
Many investment advisers discovered through implementation that their service provider agreements include notification provisions, but those provisions either lack a defined timeline (“promptly,” “without undue delay”) or set timelines longer than 72 hours. Both create a compliance gap.
A systematic approach: pull every service provider agreement that touches customer data, flag the notification provision in each, and identify which ones need amendment to include an explicit 72-hour requirement.
How This Differs from Regulation P — and Why It Matters
The most common misconception: assuming that Regulation P compliance covers Regulation S-P, or that they’re the same rule. They’re not.
| Regulation P | Amended Regulation S-P | |
|---|---|---|
| What it covers | Annual privacy notices; opt-out rights; limits on disclosure | Incident response programs; customer breach notification; service provider oversight |
| When it applies | Ongoing; annual notice obligation | Event-triggered; activates when a breach occurs or is likely |
| Core obligation | Provide customers privacy choices | Notify customers within 30 days of a breach |
| Trigger | Calendar (annual) | Event (breach or likely breach) |
| Service provider angle | Limits on data sharing with third parties | Requires third parties to notify you within 72 hours |
Both apply to SEC-registered investment advisers and broker-dealers. Both are independent requirements with independent obligations. Being current on your Regulation P annual notice does not mean you’re in compliance with amended Regulation S-P.
What SEC Examiners Are Checking
The SEC’s Division of Examinations has signaled that Regulation S-P compliance will be a priority focus in 2026 examinations. Based on the amendment’s structure and what similar examinations under analogous rules have surfaced, expect examiners to:
- Request the written incident response program — reviewing whether it exists, whether it addresses all required elements, and whether it’s been tested
- Ask about service provider agreements — specifically whether 72-hour notification provisions are included in contracts with vendors that hold customer data
- Review any actual incidents — if a breach or likely breach has occurred since your compliance date, examiners will assess whether notification went out within 30 days and whether the notification content was adequate
- Test employee awareness — asking staff how they would identify and escalate a potential breach, and whether they know what the firm’s notification obligations are
The enforcement pattern under NYDFS Part 500 — where 27 consent orders and over $144 million in penalties since 2021 followed from documented gaps in incident response and notification programs — gives a useful picture of where examinations of similar rules focus. See our analysis of NYDFS Part 500 enforcement patterns for what those actions signal about examiner priorities.
The Regulatory Notification Landscape for Covered Firms
Investment advisers and broker-dealers subject to Regulation S-P are often subject to additional notification requirements that run parallel to — but don’t replace — the Reg S-P obligation.
State breach notification laws in most jurisdictions require notification to affected individuals and, in some states, to state attorneys general, within defined timeframes. See our 50-state breach notification law comparison for how state timelines interact with Reg S-P’s 30-day federal requirement.
For registered investment advisers that are also broker-dealers with SEC public company reporting obligations, the SEC’s Form 8-K Item 1.05 requirement may also apply if the incident is material to the company. That’s a separate four-business-day obligation to the SEC itself — not to customers.
The practical result: a single cybersecurity incident at a dual-registrant investment adviser may trigger Regulation S-P customer notification (30 days), state breach notification law obligations (often 30-72 hours depending on state), Form 8-K materiality assessment (if the firm is a public company), and FINRA notification (for broker-dealers, within 30 days under Rule 4370).
None of these clocks pause while you figure out which other clocks are running.
So What?
The June 3, 2026 deadline has passed. If you’re a smaller registered investment adviser or broker-dealer that hasn’t yet built your incident response program, added 72-hour notification clauses to your service provider agreements, and operationalized your customer notification process, you’re not in compliance with a rule that’s actively being examined.
The path forward is concrete:
- Draft or update your written incident response program to address all required elements — detection, response, notification, recovery, and post-incident review
- Audit your service provider agreements — identify every vendor that holds customer data and verify the 72-hour notification provision is explicitly included
- Operationalize the 30-day clock — document the internal escalation path from incident detection to legal review to customer notification decision, with accountability owners at each stage
- Train your team — the program document alone is not compliance; staff need to know what to escalate and when
The Data Privacy Compliance Kit includes an incident response program template mapped to Regulation S-P’s requirements, a service provider agreement clause library with 72-hour notification language, and a customer breach notification workflow you can adapt to your firm’s specific structure.
Sources:
- SEC Press Release: SEC Adopts Amendments to Regulation S-P to Enhance Protection of Customer Information (May 16, 2024)
- SEC Small Entity Compliance Guide: Enhancements to Regulation S-P
- Holland & Knight: Regulation S-P Amendments — Compliance Deadline Approaching for Smaller Entities (May 2026)
- Goodwin: Approaching Effective Date for Regulation S-P Amendments (November 2025)
- Skadden: SEC Amends Reg S-P to Strengthen Data Breach Response Requirements and Protect Investor Information
◆ Related template
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
Who does amended Regulation S-P apply to?
What triggers the 30-day customer notification clock?
What is 'sensitive customer information' under amended Regulation S-P?
How does Regulation S-P differ from GLBA Regulation P?
What does the service provider requirement mean in practice?
When did Regulation S-P compliance deadlines take effect?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
◆ Keep reading
Related posts.
Data Privacy
Connecticut's CDPA Took Effect Last Tuesday: Financial Account Data Is Now Sensitive Data, the Threshold Dropped to 35,000, and There's No 60-Day Grace Period
Connecticut's expanded CDPA took effect July 1, 2026. It lowered the applicability threshold from 100,000 to 35,000 consumers, reclassified financial account information as sensitive data requiring consent before processing or sale, eliminated the guaranteed 60-day cure period, and stripped the entity-level GLBA exemption from fintechs and nonbank lenders. Here's what changed and what your program needs to address this week.
Jul 8, 2026
Data Privacy
Biometric Data in Financial Services: The BIPA Exemption Isn't as Broad as Your Vendors Think
Financial institutions have a GLBA-based exemption from Illinois' Biometric Information Privacy Act — but courts are actively splitting on whether that exemption extends to your KYC and identity verification vendors. Two unsettled circuit questions, $100M+ in recent settlements, and what your vendor contracts need to say before the 7th Circuit decides.
Jul 5, 2026
Data Privacy
Minnesota's MCDPA Has Been Enforcing Since January — Your GLBA Exemption Doesn't Cover What You Think It Does
Minnesota's Consumer Data Privacy Act uses a data-level GLBA exemption, not an entity-level one. Non-bank fintechs have been exposed since January 31, 2026 — with no notice-to-cure period and $7,500-per-violation penalties.
Jul 2, 2026