By E.J. Yerzak
Winning the Super Bowl doesn’t happen on game day – it happens months earlier in the film room, the weight room, and on the practice field. The same holds true for the SEC’s recent amendments to Regulation S-P. And while larger advisers were busy preparing toward the end of 2025, smaller firms (those registered investment advisers with under $1.5B in assets under management) mostly got to sit on the sidelines and watch. Now that 2026 is upon us, these smaller advisers need to start suiting up.
Back in 2024, the SEC adopted significant amendments to Reg. S-P, effectively modernizing the long-standing Safeguards Rule to reflect today’s cybersecurity and data-sharing risks. While larger firms with over $1.5B in AUM were required to comply by December 3, 2025, smaller advisers now only have until June 3, 2026, to get their own programs into compliance. The deadline may feel far off, but the significant scope of the changes means firms should begin planning now.
At a high level, the amendments expand Regulation S-P beyond distributing privacy notices. The revised rules are now primarily cybersecurity rules and introduce explicit requirements for incident response, breach notification, and vendor oversight.
Your Incident Response Playbook
Firms must adopt written incident response policies and procedures designed to detect, respond to, and recover from incidents involving unauthorized access to or use of customer information. Customer information is broadly defined and can include personally identifiable information of individuals, whether maintained on a firm’s network or in various cloud-based systems, such as a CRM. For private fund advisers, customer information can also include personally identifiable information (PII) of employees who may be investors in the funds they advise.
The rule imposes a presumption that a cybersecurity incident involving sensitive customer information is reportable to clients and investors. Firms can overcome this presumption, but only if they have procedures and systems in place to quickly investigate and determine the scope of the incident. Notice of breach is required as soon as practicable, but no later than 30 days after the firm becomes aware of the incident – unless firms can determine after a reasonable investigation that the data hasn’t been, and isn’t likely to be, used in a way that causes “substantial harm or inconvenience.”
This represents a meaningful shift from prior expectations and will require advisers to formalize decision-making, escalation, and documentation around security events. It requires a well-rehearsed playbook, clear roles, and documented decision-making. The middle of a breach is not the time you want to be calling an audible.
The Offensive Line: Enhanced Vendor Oversight
Just as quarterbacks rely on protection, advisers rely on third-party service providers to do what they do best, allowing advisers to focus on their core tasks. The Reg. S-P amendments require firms to take reasonable steps to ensure vendors with access to customer information maintain appropriate safeguards. That often means reassessing vendor risk, updating contracts, and understanding which providers can quickly report incidents that could affect your clients.
The amendments also place greater responsibility on firms to oversee third-party service providers that have access to customer information. Advisers, even smaller advisers who may have fewer resources to devote to cyber, will need to take reasonable steps to ensure vendors maintain appropriate safeguards. Advisers will need to assess whether these vendors are able to provide notice of breaches within 72 hours.
While some RIAs are seeking to include such provisions in vendor agreements where feasible, the final rule stopped short of requiring changes to vendor contracts. Other advisers are addressing this requirement by enhancing their vendor due diligence – and in some cases, deciding it’s safer to outsource that due diligence to a company experienced in what to ask and how to interpret responses to properly assess risk.
Strong Defense Wins Championships
Regulation S-P now more clearly requires firms to maintain administrative, technical, and physical safeguards tailored to their size, complexity, and risk profile. While scalability remains a core principle, informal processes will be harder to defend under examination. The revised rule requires specific policies and procedures to be implemented, as well as additional books and records to be maintained.
What Smaller Firms Should Do Now
June 3, 2026, is a few short months away. Firms should begin assessing current policies, vendor relationships, and incident response capabilities. Gaps often surface around breach notification timelines, vendor contracts, and internal roles and responsibilities during an incident.
Start planning now. Early preparation will reduce compliance risk and help avoid rushed, reactive changes as the deadline approaches. The good news is – larger advisers have already gone through this, and we can learn from their respective approaches. The bad news – game time is just around the corner.
Firms that prepare now will be far better positioned when it’s time to take the field and tackle a cybersecurity incident head-on.
SEC Hosting Outreach Event on Regulation S-P for Small Firms
On January 22, 2026, the SEC will be hosting an outreach event to assist small firms in complying with the new requirements under Regulation S-P. The event will be held in-person and virtually. On the day of the event, the SEC homepage will post a link to watch the event. For more information, please see the SEC press release.