On June 3, 2026, the U.S. Securities and Exchange Commission’s amended regulation on the privacy of consumer financial information and safeguarding of customer information becomes mandatory for smaller registered investment advisers, broker-dealers, investment companies, transfer agents, and funding portals. The amendments to Regulation S-P require a written incident response program, 30-day notification to affected individuals after a covered data event, contractual 72-hour breach reporting obligations on service providers, and an expanded definition of customer information that captures nonpublic personal data regardless of source.

The SEC Division of Examinations has named Regulation S-P compliance a 2026 priority, and firms that miss the deadline face examination findings and enforcement exposure rather than first-time warning letters.

The SEC adopted amendments to Regulation S-P, which is a set of privacy rules adopted pursuant to the Gramm-Leach-Bliley Act (GLBA) and the Fair and Accurate Credit Transactions Act of 2003, in May 2024. The commission set a two-track compliance schedule. Larger entities, or fund complexes with $1 billion or more in net assets and registered investment advisers with $1.5 billion or more in assets under management, came into compliance on December 3, 2025. Smaller entities have until June 3, 2026.

The original Regulation S-P, in effect since 2000, required covered firms to adopt policies and procedures to safeguard customer records and to provide privacy notices. The amendments modernize the rule to address current data-security practice. The structure tracks state breach notification laws and recent SEC cybersecurity rulemakings, but with thresholds and timing that differ from both.

What the SEC Is Amending

The amendments made five core changes.

1. Every covered firm must maintain a written incident response program designed to detect, respond to, and recover from unauthorized access to or use of customer information.
    
2. Covered firms must notify affected individuals within 30 days after determining that sensitive customer information has been or is reasonably likely to have been accessed or used without authorization. The 30-day individual notification clock runs from the determination of unauthorized access, not from incident discovery, but the rule sharply limits room to defer the determination itself. Firms operating on an "investigate first, decide later" cadence need to formalize the determination step.
    
3. The definition of customer information now reaches nonpublic personal information held by the firm regardless of whether the firm itself collected it, capturing data inherited through subadviser relationships, third-party administrators, and similar arrangements.
    
4. Covered firms must oversee service providers under written contracts that require the provider to notify the firm of a breach affecting customer information within 72 hours. The 72-hour vendor reporting obligation is a contract problem, not a policy problem. A firm with a polished written incident response program and a vendor agreement that does not require 72-hour notice is technically out of compliance the morning of June 3, even if no incident has occurred.
    
5. Disposal and recordkeeping requirements expand to match.

The amendments overlap with several other financial-sector cybersecurity regimes already in force. Public-company registrants operate under Item 1.05 of Form 8-K and the four-business-day materiality disclosure rule. State insurance regulators in most states have adopted the National Association of Insurance Commissioners' Insurance Data Security Model Law. The New York Department of Financial Services cybersecurity regulation, 23 NYCRR Part 500, continues to set the high-water mark for covered banking and insurance entities.

Amended Regulation S-P does not preempt any of these other regulations, so covered firms need to map each obligation to each incident scenario.

Practical Implications for Investment Advisors, Broker-Dealers, and Others

Firms that have not finalized compliance should focus on three workstreams:

• Confirm the written incident response program is approved, current, and addresses the rule’s elements with firm-specific detection, response, recovery, and notification procedures. A policy that recites the rule without describing firm process will not satisfy the requirement.
   
• Inventory service-provider contracts that touch customer information. Identify agreements that do not include a 72-hour breach reporting clause and either execute amendments or document the remediation plan and timeline. Tracking that gap is itself a Regulation S-P recordkeeping obligation.
   
• Train the personnel who would make the "reasonably likely to have been accessed" determination. The 30-day notification clock runs from that determination, so the roles, escalation triggers, and documentation expectations need to be settled before an incident, not during one.

The SEC has signaled that Regulation S-P will sit alongside Form ADV cybersecurity disclosures and the Form 8-K rule as a routine examination focus. Firms with cybersecurity gaps in any one of these regimes should expect questions in all three.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.