Back to Posts

SEC Regulation S-P Deadline Is Near. Are You Ready?

May 10, 2026

Financial compliance documents on a desk with a laptop

The clock is running for smaller financial firms. June 3, 2026 is the compliance deadline for the Securities and Exchange Commission (SEC) amended Regulation S-P (PDF), and it carries real operational weight. If your firm hasn't built an incident response program, mapped your customer data, or reviewed vendor contracts for breach notification language, you're not ready.

The SEC adopted these amendments in May 2024, giving larger entities 18 months and smaller firms 24 months to comply. Larger firms, those with $1.5 billion or more in assets under management and certain broker-dealers, hit their deadline in December 2025. Now the rule is coming for smaller registered investment advisers, broker-dealers, investment companies, funding portals, and transfer agents that fall below those thresholds.

What Is Regulation S-P?

Regulation S-P was enacted by the SEC in 2000 to implement privacy provisions of the Gramm-Leach-Bliley Act, the federal law requiring financial institutions to safeguard sensitive consumer data and maintain transparent communication with clients about how their information is handled.

The regulation's name follows the SEC's internal coding conventions. "S" refers to the securities section of the Code of Federal Regulations. And "P" designates the privacy protections established under that section.

Four Requirements

The original rule established four core requirements that remain in effect today, now strengthened by the 2024 amendments.

Privacy Notices

Covered firms must deliver initial and annual privacy notices to clients explaining the firm's information-sharing practices and the customer's right to opt out of certain disclosures to non-affiliated third parties.

Opt-Out Rights

Customers have the right to limit how their information is shared with affiliates and third parties, with certain exceptions specified by law. Firms must provide a clear and functional mechanism for exercising those rights.

Safeguards Rule

Companiess must adopt written policies and procedures to protect client information from unauthorized access or use. Those safeguards must address administrative, technical, and physical controls. The 2024 amendments significantly expanded this requirement by mandating a formal incident response program.

Restrictions on Disclosure

The regulation prohibits unauthorized disclosure of nonpublic personal information without customer consent, except in limited, legally specified circumstances.

What 2024 Amendments Require

The 2024 amendments modernize the safeguards framework significantly. Firms must now maintain written policies and procedures for an incident response program designed to detect, respond to, and recover from unauthorized access to customer information. The rule also extends safeguarding and disposal requirements to cover all customer information, including data held by or on behalf of the firm through third-party providers.

Compliance matters beyond avoiding enforcement actions. Regulation S-P is fundamentally about consumer protection and trust. Clients share sensitive financial information with their advisers and brokers because they trust those firms to handle it responsibly. A breach, or a firm that can't demonstrate it took reasonable steps to prevent one, erodes that trust in ways that are difficult to recover from.

Operational Infrastructure Challenges

Most smaller financial firms have some version of a privacy policy and a general sense of what data they hold. What they typically don't have is the operational infrastructure the amended rule demands.

The 30-day customer notification requirement is the most time-sensitive. When a breach involving sensitive customer information occurs, the firm has 30 days to determine what happened, assess what data was affected, and deliver a notification that explains the incident, what information was involved, and what customers can do to protect themselves. That kind of response requires pre-approved notification templates, a clear decision-making process, and assigned roles before an incident happens, not after.

The 72-hour vendor notification requirement is arguably harder. Firms must ensure their service providers are contractually obligated to notify them within 72 hours of discovering a breach involving customer data. Many large platform providers and software vendors don't include that language by default, and negotiating it in after the fact is difficult. Firms that haven't audited their vendor agreements will find this is a meaningful gap.

Where Most Smaller Firms Stand

Partial compliance is common. A firm may have a privacy notice, a general IT security policy, and a sense of which vendors touch client data. What it usually lacks is the documented, testable framework the SEC expects to see during an examination. This includes written incident response plans, vendor contracts with enforceable notification timelines, data maps that identify every location where customer information resides, and records showing staff have been trained and controls have been tested.

Map, Audit, Update

Start with data mapping. Before you can assess the impact of a breach, you must know exactly where customer information lives, including systems managed or maintained by third-party vendors.

Next, audit vendor contracts. Review every agreement with a service provider that has access to customer information and confirm whether breach notification timelines are defined. The 72-hour expectation should be explicit and enforceable.

Then build or update your incident response plan. The plan needs to define how to detect an incident, assess its scope, determine whether notification is required, and execute customer notifications within 30 days. Roles should be assigned in advance.

Finally, run a tabletop exercise. Walk through a scenario where sensitive customer information is exposed and determine, honestly, whether your firm could meet the notification deadline. The gaps that surface are the gaps an SEC examiner will find.

Download the Readiness Checklist

To help your firm assess where it stands, STACK made a Regulation S-P Readiness Checklist covering seven compliance areas: data awareness, incident response, breach notification, vendor oversight, policy updates, recordkeeping, and training. Use it as a self-assessment before the June 3 deadline.

Download the Regulation S-P Readiness Checklist

If you work through that checklist and find gaps, a structured gap assessment with STACK can help you determine what needs to be built, updated, or documented before examiners come calling. Schedule a conversation with our team.

Cybersecurity Consultation

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cybersecurity's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Explore our Risk Assessment