Smaller Investment Advisers Staring Down June Deadline on Reg S-P

With a June 3 compliance deadline approaching, registered investment advisers with less than $1.5 billion in assets under management should be taking steps now to ensure they can meet the SEC’s amended requirements under Regulation S-P.

The commission adopted certain noteworthy amendments to Regulation S-P on May 16, 2024, which marked the first significant amendments to Regulation S-P since it was adopted by the SEC in 2000.

In its adopting release, the SEC stated that the amendments were necessary “to provide enhanced protection of customer or consumer information and help ensure that customers of covered institutions receive timely and consistent notifications in the event of unauthorized access to or use of their information.” Then-SEC Chair Gary Gensler noted in his statement regarding the amendments that since the initial adoption of Regulation S-P, “… the nature, scale and impact of data breaches has transformed substantially. These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data.”

The amendments became effective Aug. 2, 2024, and while “larger entities” (i.e., investment advisers with at least $1.5 billion in assets under management, investment companies with at least $1 billion in net assets and larger broker-dealers) faced a compliance date of Dec. 3, 2025, with respect to the amendments, “smaller entities,” such as registered investment advisers with less than $1.5 billion in assets under management (smaller investment advisers), must comply with the amendment by June 3.

Next steps for smaller investment advisers

With the June 3 compliance deadline fast approaching, smaller investment advisers should make sure that they take adequate steps to seek to comply with the amendments to Regulation S-P, including reviewing their current policies and procedures to determine whether they adequately cover the amendments; updating policies and procedures where gaps in compliance have been identified; reviewing vendor contracts to determine whether amendments will be needed (or written assurances requested); and training staff where appropriate.

The SEC’s Examinations Division has specifically identified Regulation S-P compliance as a 2026 examination priority, so smaller investment advisers should prioritize these efforts now to ensure readiness for potential examination.

Compliance

A Busy Month at the SEC: What Compliance Teams Need to Do Now

by Jennifer L. Gaskin

March 25, 2026

The SEC packed a month’s worth of major developments into just a few weeks — and compliance teams are sorting through what it all means. CCI editorial director Jennifer L. Gaskin breaks down what’s changed, what hasn’t and where your attention should go.

Read moreDetails

Certain material requirements for smaller investment advisers

1. Incident response program

The amendments require smaller investment advisers to “develop, implement and maintain written policies and procedures that include an incident response program that is reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information.” The program must include procedures to:

• Assess the nature and scope of any incident involving unauthorized access to or use of customer information.
• Take appropriate steps to contain and control the incident to prevent further unauthorized access or use.
• Clearly and conspicuously notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, which must be provided as soon as reasonably practicable, but not later than 30 days after the adviser becomes aware of the unauthorized access or use or reasonable likelihood of unauthorized access or use. (Sensitive customer information is “any component of customer information[,] alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” Examples include Social Security numbers, driver’s license numbers, passport numbers, taxpayer identification numbers, biometric records, financial account numbers in combination with access codes or security questions and user names combined with passwords, access codes or mother’s maiden name. Seeking to minimize duplicative notices, the amendments only require a smaller investment adviser to provide notice “where unauthorized access to or use of sensitive customer information has occurred at the covered institution or one of its service providers that is not itself a covered institution.”)

The SEC intentionally provided flexibility in how smaller investment advisers design their incident response programs, recognizing that “[c]overed institutions need the flexibility to develop policies and procedures suited to their size and complexity and the nature and scope of their activities.”

2. Service provider oversight

Smaller investment advisers also must establish, maintain and enforce written policies and procedures that are reasonably designed to require oversight of service providers who have access to customer information. This includes:

• Due diligence in selecting service providers.
• Ongoing monitoring of service provider performance.
• Ensuring that service providers notify the smaller investment adviser within 72 hours after becoming aware that a breach has occurred that results in unauthorized access to customer information.

3. Recordkeeping requirements

Smaller investment advisers must make and maintain written records documenting their compliance with Regulation S-P, including:

• Copies of the smaller investment adviser’s written policies under both the safeguards and disposal portions of the amendments.
• Service provider agreements or records documenting oversight of service providers.
• Records of each instance of unauthorized access detected and actions taken with respect to such unauthorized access.
• Documentation of any determinations made that customer notification was not required.