SEC Regulation S-P
SEC Regulation S-P is the U.S. Securities and Exchange Commission rule that requires registered investment advisers, broker-dealers, and investment companies to adopt written policies and procedures that protect the privacy and security of customer information. Originally adopted in 2000 to implement the privacy provisions of the Gramm-Leach-Bliley Act, it was significantly amended in 2024 to add a mandatory incident response program and a requirement to notify affected customers within 30 days of a data breach.
How SEC Regulation S-P Works
Regulation S-P has historically rested on two core components:
- The Safeguards Rule — covered firms must adopt written policies and procedures reasonably designed to protect customer records and information against anticipated threats, unauthorized access, and unauthorized use.
- The Disposal Rule — firms must take reasonable measures to properly dispose of consumer report information so it cannot be read or reconstructed.
The 2024 amendments added a third pillar: a written incident response program. Covered firms must now have documented procedures to detect, respond to, and recover from unauthorized access to or use of customer information — and to notify the individuals affected.
The June 3, 2026 Compliance Deadline
The SEC adopted the amended Regulation S-P on May 16, 2024. The compliance dates are tiered by firm size:
- Larger entities — compliance required by December 3, 2025.
- Smaller entities — compliance required by June 3, 2026. For registered investment advisers, a “smaller entity” is generally an adviser with less than $1.5 billion in assets under management.
By their applicable deadline, covered firms must have a written incident response program, the capability to notify affected customers as soon as practicable and no later than 30 days after becoming aware that unauthorized access or use occurred (or is reasonably likely to have occurred), and documented oversight of service providers that receive customer information.
Why SEC Regulation S-P Matters for Investment & Professional Firms
For DFW registered investment advisers, wealth managers, and family offices, Regulation S-P is not a background rule — it is examined directly. The SEC Division of Examinations reviews a firm’s written information security program, its incident response plan, and its evidence of service-provider oversight during routine examination cycles. A firm that cannot produce dated, written, examination-ready documentation has a deficiency exposure regardless of whether a breach has occurred.
DKBinnovative has supported DFW investment advisers through multiple SEC Division of Examinations cycles since 2004. The written information security program, the Regulation S-P incident response plan, the 30-day customer notification capability, and the vendor due diligence files are produced as a standard deliverable — not a separate consulting engagement. For Plano, Frisco, Irving, and Las Colinas firms approaching the June 3, 2026 deadline, an accelerated 30-day onboarding sprint compresses the work into the regulatory minimum.
Related DKBinnovative Resources
- SEC Reg S-P: 30-Day Countdown Checklist for DFW RIAs
- The SEC Regulation S-P Deadline Is June 3, 2026: What Every DFW Investment Firm Needs to Do Now
- Managed IT for Investment & Professional Firms
- Cybersecurity Services
Frequently Asked Questions
Who must comply with SEC Regulation S-P?
Regulation S-P applies to SEC-registered broker-dealers, investment companies, registered investment advisers, and transfer agents. Any of these firms that collect nonpublic personal information about customers is a covered institution.
What is the SEC Regulation S-P deadline?
The 2024 amendments take effect on December 3, 2025 for larger entities and June 3, 2026 for smaller entities. For registered investment advisers, a smaller entity is generally an adviser with less than $1.5 billion in assets under management.
What does SEC Regulation S-P require after a data breach?
A covered firm must notify affected individuals as soon as practicable, and no later than 30 days after the firm becomes aware that unauthorized access to or use of sensitive customer information occurred or is reasonably likely to have occurred. The notification must describe the incident and the data involved, and explain what the individual can do to protect themselves.