Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Data Privacy

Amended Regulation S-P: The 30-Day Breach Notification Rule That Now Applies to Every Investment Adviser and Broker-Dealer

The SEC's 2024 amendment to Regulation S-P created a mandatory 30-day customer breach notification requirement for investment advisers, broker-dealers, and investment companies. Smaller entities just passed their June 3, 2026 compliance deadline. Here's what the rule actually requires — and the three operational gaps most firms haven't closed.

By Rebecca Leung · June 15, 2026 ·
Table of Contents

TL;DR:

  • The SEC’s May 2024 amendment to Regulation S-P requires registered investment advisers, broker-dealers, investment companies, and transfer agents to notify affected customers within 30 days of a breach of their nonpublic personal information.
  • Larger entities (RIAs with $1.5B+ AUM, larger broker-dealers) had a December 3, 2025 deadline. Smaller entities just hit their June 3, 2026 deadline — two weeks ago.
  • Three operational requirements are now active: a written incident response program, a 30-day customer notification process, and a requirement that service providers notify you within 72 hours of a breach.
  • Reg S-P is separate from and in addition to GLBA Regulation P (annual privacy notices) — common confusion, separate obligations.

June 3, 2026 was a quiet deadline for an important rule.

If your registered investment advisory firm manages less than $1.5 billion in AUM, that was your compliance deadline for the SEC’s amended Regulation S-P — the first time the SEC has required investment advisers and broker-dealers to have a written incident response program and notify customers within 30 days of a data breach affecting their nonpublic personal information.

The deadline came and went two weeks ago. OCIE examinations are already incorporating Regulation S-P compliance reviews, and the gap between what the rule requires and what most small and mid-size firms have built is wider than most practitioners realize.

What Is the Amended Regulation S-P and Why Now?

Regulation S-P was originally adopted in 2000 to implement privacy and safeguards requirements for SEC-registered broker-dealers, investment advisers, investment companies, and transfer agents under the Gramm-Leach-Bliley Act. The original rule required firms to adopt safeguards and limit the disclosure of customer nonpublic personal information — but it predated most of the threat landscape that practitioners deal with today.

The SEC adopted amendments on May 16, 2024, adding three substantial new requirements to an existing framework that had been largely unchanged for nearly 25 years:

  1. A mandatory written incident response program
  2. A 30-day customer notification obligation when customer information is compromised
  3. A service provider oversight requirement, including a 72-hour notification from your service providers

The amendments apply to the same covered institutions as the original rule: SEC-registered broker-dealers, registered investment advisers, registered investment companies (including mutual funds), registered transfer agents, and funding portals.

Who Is — and Isn’t — Covered

This is a common source of confusion because multiple rules use similar language for different populations.

Covered by amended Regulation S-P:

  • SEC-registered investment advisers (regardless of AUM)
  • SEC-registered broker-dealers
  • Registered investment companies (mutual funds, closed-end funds, ETFs)
  • Registered transfer agents
  • SEC-registered funding portals

Not covered by amended Regulation S-P:

  • Banks and bank holding companies — they have analogous obligations under their primary federal banking regulators’ rules, including the GLBA Safeguards Rule and GLBA Regulation P requirements
  • State-registered investment advisers — not SEC-registered, not in scope, though state-level analogues may apply
  • Exempt reporting advisers — generally not covered by the full Regulation S-P framework

If you’re a dual-registrant (registered as both a broker-dealer and an investment adviser), you’re covered on both sides. The requirements apply to all your customer-facing activities.

Requirement 1: Written Incident Response Program

Covered institutions must adopt written policies and procedures for an incident response program. The amendment specifies what that program must address:

  • Assessment of which information systems and data assets contain customer information
  • Detection controls to identify unauthorized access or use
  • Defined response procedures covering containment, investigation, and remediation
  • Recovery procedures to restore systems and data
  • Customer notification procedures (see below)
  • Post-incident review and program improvement processes

The written program requirement is foundational — the 30-day notification obligation and the service provider notification requirement both depend on having documented processes that your team can execute under pressure. An incident response program that exists only in the CISO’s head, or in a decade-old document that predates cloud adoption and remote work, does not satisfy the amendment.

SEC examination staff reviewing Reg S-P compliance will ask to see the written program, will review whether it addresses all required elements, and will assess whether firm personnel are trained on it. A common exam gap is a program that looks adequate on paper but has never been tested — no tabletop exercise, no walkthrough with the notification process, no evidence that the 30-day clock has been operationalized.

Requirement 2: The 30-Day Customer Notification

When a breach of customer information occurs — or is “reasonably likely” to have occurred — covered institutions must notify affected customers as soon as practicable, and no later than 30 days from awareness of the event.

What triggers the clock: Awareness that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. This is not a confirmed-breach standard. You don’t need a completed forensic investigation before the clock starts. The moment a reasonable assessment concludes that customer information was likely accessed without authorization, the 30-day window opens.

This matters operationally. Firms that wait for a full forensic report before characterizing an event as a potential breach will routinely find that their 30-day window has already been running — and may have partially expired — by the time they engage the notification process.

What the notification must include:

  • A clear description of what happened
  • The types of customer information affected
  • What steps the firm has taken or is taking to address the incident
  • What steps customers can take to protect themselves
  • Contact information for customers to get more information or ask questions

Who gets notified: Affected customers whose information was compromised. If you cannot identify specifically which customers were affected because the breach involved a system that stored all customer records, the obligation extends to all customers whose data was in that system.

Format requirements: The SEC’s small entity compliance guide specifies that notification must be provided in writing, in plain language, and by means designed to reach the affected customer — which for most advisers and broker-dealers means electronic notice to the email address on file, with written notice by first-class mail as an alternative or supplement.

Requirement 3: Service Provider Oversight and 72-Hour Notification

The amendment creates an explicit contractual obligation: covered institutions must require their service providers to notify them within 72 hours of discovering a breach of customer information held on the covered institution’s behalf.

“Service provider” in this context means any third party that accesses, maintains, processes, or otherwise handles customer information on behalf of the covered institution. This encompasses:

  • Custodians and clearing firms
  • Portfolio management software providers
  • CRM and client portal vendors
  • Document management and archiving services
  • Cloud storage and infrastructure providers
  • Third-party administrators

The practical implication: existing service provider agreements that predate the amendment need to be reviewed and updated to include the 72-hour notification obligation explicitly. The amendment doesn’t grandfather existing contracts — the obligation is effective now, regardless of when the contract was signed.

Many investment advisers discovered through implementation that their service provider agreements include notification provisions, but those provisions either lack a defined timeline (“promptly,” “without undue delay”) or set timelines longer than 72 hours. Both create a compliance gap.

A systematic approach: pull every service provider agreement that touches customer data, flag the notification provision in each, and identify which ones need amendment to include an explicit 72-hour requirement.

How This Differs from Regulation P — and Why It Matters

The most common misconception: assuming that Regulation P compliance covers Regulation S-P, or that they’re the same rule. They’re not.

Regulation PAmended Regulation S-P
What it coversAnnual privacy notices; opt-out rights; limits on disclosureIncident response programs; customer breach notification; service provider oversight
When it appliesOngoing; annual notice obligationEvent-triggered; activates when a breach occurs or is likely
Core obligationProvide customers privacy choicesNotify customers within 30 days of a breach
TriggerCalendar (annual)Event (breach or likely breach)
Service provider angleLimits on data sharing with third partiesRequires third parties to notify you within 72 hours

Both apply to SEC-registered investment advisers and broker-dealers. Both are independent requirements with independent obligations. Being current on your Regulation P annual notice does not mean you’re in compliance with amended Regulation S-P.

What SEC Examiners Are Checking

The SEC’s Division of Examinations has signaled that Regulation S-P compliance will be a priority focus in 2026 examinations. Based on the amendment’s structure and what similar examinations under analogous rules have surfaced, expect examiners to:

  1. Request the written incident response program — reviewing whether it exists, whether it addresses all required elements, and whether it’s been tested
  2. Ask about service provider agreements — specifically whether 72-hour notification provisions are included in contracts with vendors that hold customer data
  3. Review any actual incidents — if a breach or likely breach has occurred since your compliance date, examiners will assess whether notification went out within 30 days and whether the notification content was adequate
  4. Test employee awareness — asking staff how they would identify and escalate a potential breach, and whether they know what the firm’s notification obligations are

The enforcement pattern under NYDFS Part 500 — where 27 consent orders and over $144 million in penalties since 2021 followed from documented gaps in incident response and notification programs — gives a useful picture of where examinations of similar rules focus. See our analysis of NYDFS Part 500 enforcement patterns for what those actions signal about examiner priorities.

The Regulatory Notification Landscape for Covered Firms

Investment advisers and broker-dealers subject to Regulation S-P are often subject to additional notification requirements that run parallel to — but don’t replace — the Reg S-P obligation.

State breach notification laws in most jurisdictions require notification to affected individuals and, in some states, to state attorneys general, within defined timeframes. See our 50-state breach notification law comparison for how state timelines interact with Reg S-P’s 30-day federal requirement.

For registered investment advisers that are also broker-dealers with SEC public company reporting obligations, the SEC’s Form 8-K Item 1.05 requirement may also apply if the incident is material to the company. That’s a separate four-business-day obligation to the SEC itself — not to customers.

The practical result: a single cybersecurity incident at a dual-registrant investment adviser may trigger Regulation S-P customer notification (30 days), state breach notification law obligations (often 30-72 hours depending on state), Form 8-K materiality assessment (if the firm is a public company), and FINRA notification (for broker-dealers, within 30 days under Rule 4370).

None of these clocks pause while you figure out which other clocks are running.

So What?

The June 3, 2026 deadline has passed. If you’re a smaller registered investment adviser or broker-dealer that hasn’t yet built your incident response program, added 72-hour notification clauses to your service provider agreements, and operationalized your customer notification process, you’re not in compliance with a rule that’s actively being examined.

The path forward is concrete:

  1. Draft or update your written incident response program to address all required elements — detection, response, notification, recovery, and post-incident review
  2. Audit your service provider agreements — identify every vendor that holds customer data and verify the 72-hour notification provision is explicitly included
  3. Operationalize the 30-day clock — document the internal escalation path from incident detection to legal review to customer notification decision, with accountability owners at each stage
  4. Train your team — the program document alone is not compliance; staff need to know what to escalate and when

The Data Privacy Compliance Kit includes an incident response program template mapped to Regulation S-P’s requirements, a service provider agreement clause library with 72-hour notification language, and a customer breach notification workflow you can adapt to your firm’s specific structure.


Sources:

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

Who does amended Regulation S-P apply to?
Amended Regulation S-P applies to 'covered institutions': registered broker-dealers, registered investment advisers, registered investment companies, registered transfer agents, and SEC-registered funding portals. It does not apply to banks — banks have separate safeguard obligations under GLBA and their primary federal banking regulator's rules. State-registered investment advisers are also not covered by the SEC's Reg S-P amendment, though they may face analogous state-level requirements.
What triggers the 30-day customer notification clock?
The clock starts when you become 'aware' that unauthorized access to or use of customer information has occurred or is 'reasonably likely' to have occurred. The standard is awareness, not confirmed forensic certainty — you don't have to complete a full investigation before the clock starts. Within 30 days of reaching that awareness threshold, affected customers must be notified. Waiting for an investigation to conclude before characterizing the event as a breach does not pause the clock.
What is 'sensitive customer information' under amended Regulation S-P?
The amendment uses the term 'customer information,' which encompasses any record containing nonpublic personal information (NPI) about a customer — whether in paper, electronic, or other form. This includes financial account information, Social Security numbers, account numbers, credentials, and any other information that, if accessed without authorization, could be used to access a financial account or cause harm to the customer.
How does Regulation S-P differ from GLBA Regulation P?
They cover different things. Regulation P (17 CFR Part 248, Subpart A) addresses privacy notices — annual notices to customers about your privacy practices and opt-out rights. Amended Regulation S-P (17 CFR Part 248, Subpart F) addresses incident response and breach notification — what you must do when customer information is compromised. Both apply to the same covered institutions, but they are independent requirements with independent obligations.
What does the service provider requirement mean in practice?
Under amended Regulation S-P, covered institutions must contractually require their service providers — any third party that maintains, processes, or otherwise holds customer information on the covered institution's behalf — to notify the covered institution within 72 hours of discovering a breach of that customer information. This means reviewing existing service provider agreements to ensure the 72-hour notification obligation is explicitly included, and adding it to new agreements going forward.
When did Regulation S-P compliance deadlines take effect?
Larger entities — including registered investment advisers with $1.5 billion or more in assets under management and larger broker-dealers — had a compliance deadline of December 3, 2025. Smaller entities — including registered investment advisers with less than $1.5 billion in AUM and smaller broker-dealers — had a compliance deadline of June 3, 2026. Both deadlines have now passed; all covered institutions are required to be in compliance.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Data Privacy Compliance Kit

Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.