Skip to content
2026

Now taking on 4 new clients this year — white-glove onboarding, month to month.

Book a call
HomeBlogCybersecurity

SEC Reg S-P Deadline Passed: What Small RIAs Do Now

Registered investment adviser working securely at a laptop in a modern wealth management office

If you run a smaller registered investment advisory firm, the SEC's amended Regulation S-P already applies to you. The compliance deadline for advisers managing under $1.5 billion was June 3, 2026, and it has passed. If your firm still does not have a written incident response program, a 30-day customer breach notification process, and documented vendor oversight, you are behind the rule right now. The good news is that catching up is a defined project, not a mystery.

By The NetSys Group Team. The NetSys Group has delivered managed IT, cybersecurity, and cloud services since 1998. Our engineers hold degrees in electrical and computer engineering and are certified Microsoft and Cisco instructors, serving businesses across NY, NJ, CT, PA, and Southwest Florida.

What does the amended Regulation S-P actually require?

The amendments turn a set of general privacy expectations into four concrete obligations. Your firm needs a written incident response program that covers how you detect, contain, and recover from unauthorized access to client data. You have to notify affected clients as soon as practicable and no later than 30 days after you learn of a qualifying breach. You need written policies for overseeing service providers, including a contractual requirement that vendors report security incidents to you within 72 hours. And you have to keep records of all of this so an examiner can see it.

None of those four is optional, and the recordkeeping piece is the one firms tend to forget. A control that works but is never written down looks, to an examiner, exactly like a control that does not exist.

Why are RIAs a target in the first place?

An advisory firm holds a dense concentration of exactly what attackers want: Social Security numbers, account numbers, dates of birth, and money in motion. A twelve-person RIA can custody hundreds of millions of dollars, which makes it a high-value target with a small security team. That mismatch is the whole problem. The same forces that make small businesses easy to hit apply doubly to a firm that moves client funds, which is why we wrote earlier about the controls that actually stop attacks on small organizations.

We missed the June deadline. How exposed are we?

Missing the date does not trigger an automatic penalty, but it does change the conversation if you are examined or if you suffer a breach. An examiner who finds no incident response program will treat that as a current deficiency, not a late homework assignment. And in the event of an actual incident, the absence of a documented response plan and a notification process is what turns a contained problem into a reportable failure. The practical answer is to close the gaps quickly and document the date you did so.

What should a small firm do first?

Start with a written incident response program, because it is both required and the thing you are most likely to need under pressure. It should name who is in charge during an incident, how you contain access, when the clock starts on the 30-day client notice, and how you record what happened. Next, inventory your vendors and confirm your contracts include the 72-hour incident reporting language. Then map where client data actually lives, because you cannot protect what you have not located. Firms that skip that mapping step almost always discover client data sitting in a place no policy covered.

Most smaller RIAs do not have an internal security team to run this, and they do not need to build one. A managed IT and security partner can stand up the incident response program, handle the vendor documentation, and give you the compliance records an examiner will ask for, usually faster than an internal effort that competes with everyone's day job.

Does this replace our custodian's security?

No. Your custodian secures its own systems, but Regulation S-P applies to your firm and the client information your firm holds and handles. Email, your CRM, portfolio management software, spreadsheets on a laptop, and the file server in your office are all in scope regardless of how good your custodian's platform is. The obligation follows your data, not the biggest institution in your supply chain.

Frequently asked questions

Does Regulation S-P apply to state-registered advisers?

The SEC amendments directly bind SEC-registered advisers. State-registered firms fall outside SEC jurisdiction for this rule, but state regulators frequently use the federal standard as a benchmark, so building to it is the safe choice even if you are state-registered today.

How fast do we have to notify clients after a breach?

As soon as practicable, and no later than 30 days after your firm becomes aware of a qualifying incident involving sensitive customer information. The 30 days is a ceiling, not a target. Regulators expect firms that can notify sooner to do so.

What has to be in the vendor contract?

You need written policies to oversee service providers, and your agreements should require third parties that touch client data to notify you of a security incident within 72 hours. That gives your firm time to meet its own 30-day client notification window.

Can a managed IT provider make us compliant?

A provider cannot make compliance decisions for your firm, but it can build and operate most of the required controls: the incident response program, monitoring, vendor documentation, and the records an examiner reviews. Your compliance officer still owns the program. The provider does the engineering.

How long does it take to catch up?

A focused firm with outside help can stand up a defensible incident response program and vendor documentation in a few weeks. The variable is data mapping. Firms with client data scattered across personal devices and old file shares take longer, because there is more to find and lock down.

If your firm missed the June 3 deadline or is not sure where it stands, the fastest way to find out is a look at your actual environment. Schedule a complimentary risk assessment and we will show you exactly which Regulation S-P gaps are open and what it takes to close them.

Reading is free. So is knowing where you stand.

Turn insight into action.

Take a free cybersecurity or AI readiness assessment, or book a call with a NetSys engineer — no obligation, no runaround.