As of June 3, 2026, the compliance deadline under the 2024 amendments to Regulation S-P has arrived for so-called smaller entities regulated by the Securities and Exchange Commission (SEC). This category includes registered investment advisers with less than $1.5 billion in assets under management, certain broker-dealers, and other SEC-regulated entities that previously benefited from an extended transition period. With the deadline now in effect, these firms are subject to the same enhanced data protection obligations that applied to larger entities, and immediate verification of compliance is essential.
The amended Regulation S-P significantly expands the obligations governing how covered firms safeguard customer information. Affected entities must now maintain a written incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The amendments also impose a clear customer notification requirement: where sensitive customer information has, or is reasonably likely to have, been accessed or used without authorization, affected customers must be notified as soon as practicable, and in any event within 30 days of the firm becoming aware of the incident.
In addition to internal incident response capabilities, covered firms must implement reasonable procedures to oversee service providers that receive, maintain, or otherwise are permitted to access customer information. This includes obtaining written assurances that service providers will protect such information and will provide timely notice of any breach affecting it. Firms are also required to document their compliance with these obligations, supporting both internal accountability and regulatory review.
The SEC has publicly indicated that Regulation S-P will be a priority focus in upcoming examinations, signaling heightened audit and enforcement risk for firms that have not yet operationalized the amended requirements. Smaller entities that delayed implementation pending the June 3, 2026 deadline should now confirm that policies, vendor contracts, training, and incident response playbooks reflect the new standards in practice, not merely on paper. Documentation of these efforts will be central to demonstrating compliance during any SEC examination.
This alert is provided for general informational purposes only and does not constitute legal advice. Firms with questions about their specific obligations under Regulation S-P should consult qualified counsel for tailored guidance based on their individual facts and circumstances.