Is an incident response plan required under SEC Regulation S-P?

Yes. The 2024 amendments to Regulation S-P require covered firms u2014 registered investment advisers, broker-dealers, and investment companies u2014 to develop, implement, and maintain a written incident response program as part of their information security policies.

How quickly must customers be notified of an incident?

Affected individuals must be notified as soon as practicable, and no later than 30 days after the firm becomes aware that unauthorized access to or use of sensitive customer information occurred or is reasonably likely to have occurred.

Does the incident response plan need to be tested?

Regulation S-P requires the plan to be reasonably designed and maintained. Examiners expect firms to demonstrate the plan is operational u2014 tabletop exercises and documented reviews are the practical evidence that the plan works, not just that it exists.

What Is a SEC Reg S-P Incident Response Plan?

A SEC Reg S-P incident response plan is the written program that registered investment advisers, broker-dealers, and investment companies must maintain under the 2024 amendments to SEC Regulation S-P. The plan documents how the firm will detect, respond to, and recover from unauthorized access to or use of customer information, and how it will notify the individuals affected by an incident.

What the Plan Must Cover

An effective incident response plan under Regulation S-P addresses the full lifecycle of a data security incident:

Detection — how the firm identifies that unauthorized access to or use of customer information has occurred or is reasonably likely.
Assessment — procedures to determine the nature and scope of the incident and which customer information was involved.
Containment and recovery — steps to control the incident and restore normal operations.
Customer notification — the process to notify affected individuals as soon as practicable and no later than 30 days after the firm becomes aware of the incident.
Service provider oversight — procedures to ensure providers that hold customer information notify the firm of breaches affecting that data.

The 30-Day Notification Requirement

The defining feature of the Regulation S-P incident response requirement is the customer notification obligation. When a covered firm becomes aware that sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, it must notify the affected individuals as soon as practicable and no later than 30 days afterward. The notice must describe the incident, the information involved, and the steps the individual can take to protect themselves.

Why the Incident Response Plan Matters for Investment & Professional Firms

For DFW registered investment advisers and wealth management firms, the incident response plan is the artifact the SEC Division of Examinations will ask to see — and it must be written, dated, and tested, not improvised after an incident. A plan that exists only as an idea is a deficiency. DKBinnovative produces the Regulation S-P incident response plan as a standard deliverable for investment-firm clients, runs tabletop exercises against it, and pairs it with the 24/7 in-house Security Operations Center that supplies the detection capability the plan depends on. For Plano, Frisco, Irving, and Las Colinas firms approaching the June 3, 2026 compliance deadline, the plan is built inside the standard onboarding or an accelerated 30-day sprint.

What the Plan Must Cover

The 30-Day Notification Requirement

Why the Incident Response Plan Matters for Investment & Professional Firms

Related DKBinnovative Resources