By now most RIAs under $1.5 billion in AUM know the June 3 date exists. Fewer have spent time thinking carefully about what “compliant” actually means when an examiner walks in and the gap between those two things is where firms get into trouble.
Large advisers found out in December. The ones that struggled weren’t the ones that ignored the rule. They were the ones that built programs on paper and discovered under examination pressure that the paper didn’t reflect what the firm could actually do. A written incident response plan that had never been tested. Vendor addenda drafted but never countersigned. An incident log that documented breaches but not the assessments that concluded no notification was required.
These aren’t uncommon failures. They’re the predictable output of treating a compliance deadline as a documentation exercise rather than an operational one. With four weeks left, smaller advisers have the advantage of seeing what broke for larger firms, and the disadvantage of having less time and fewer resources to build something that avoids the same mistakes.
What the Rule Actually Requires, Specifically
Reg S-P has been the baseline data protection rule for financial firms for years. What changed in 2024 was the operational specificity. The amendments didn’t rewrite the philosophy, they replaced general obligations with concrete requirements that now have teeth in examinations.
Client notification within 30 days of a confirmed breach. Vendor breach disclosure to your firm within 72 hours, enforced through contract language, not goodwill. Written documentation of every security event assessed, including the ones where the conclusion was that no client notification was required. Data safeguards covering all nonpublic personal information your firm touches, including data received from other financial institutions. Five-year recordkeeping, first two years readily accessible.
Every one of those requirements has a documentation corollary, something that needs to exist in writing that an examiner can review. The firms with gaps in their programs almost always have the same gap: the compliance activity happened, but the evidence of it wasn’t captured in a form that would hold up under scrutiny.
The Vendor Contract Problem Is Time-Sensitive for a Reason
For any firm that hasn’t completed vendor contract revisions, this is the item that needs to move today, not because it’s the most intellectually demanding part of the work, but because it’s the part most likely to miss the deadline regardless of how early everything else gets done.
Your custodian, portfolio management platform, CRM, document storage, and any other provider handling client nonpublic personal information needs a contract that explicitly requires them to notify your firm within 72 hours of a confirmed breach. Standard agreements almost never include this language. Adding it requires going back to the vendor, which means waiting on their legal review cycle.
Some vendors have standard Reg S-P addenda ready to send within days. Others take two to three weeks of back-and-forth before anything gets countersigned. You don’t know which category your vendors fall into until you ask, and four weeks leaves room for one round of review, not two.
The other version of this problem that shows up in examinations: the initial vendor scope was too narrow. A firm mapped its obvious data handlers, the custodian, the portfolio platform, and didn’t look closely at the tools sitting adjacent to client data. The email platform. The scheduling system that syncs with client records. The document management tool that stores signed agreements. If your initial Reg S-P vendor inventory was completed quickly under deadline pressure, it’s worth a second pass before an examiner does it for you.
The Document Nobody Writes Down
Ask most CCOs whether their firm documented its Reg S-P security incidents and most will say yes. Ask them whether they documented the incidents that didn’t result in client notification and the answer changes.
The amended rule requires a written record of every security event assessed, not just the ones that triggered the 30-day notification clock, but the ones where the conclusion was that notification wasn’t required. The rationale for that determination needs to be on file: who assessed the event, what criteria were applied, what the conclusion was, and why.
This requirement catches firms that have otherwise built reasonable programs. The incident happened. It was assessed carefully. The right call was made. Nobody wrote it down because the outcome was a non-event and non-events don’t feel like compliance obligations.
Under examination, an undocumented assessment looks identical to no assessment at all.
Go back through every security event or anomaly your firm has dealt with since you began building toward June 3. For each one, confirm there’s a written record. For firms still building their program, start the habit now, every assessment gets documented, regardless of outcome.
Two Firms, Same Deadline, Different Risks
The risk profile heading into June 3 looks different depending on where a firm is in the process.
For firms that have been building since early in the year, the risk isn’t the obvious gaps. It’s the small failures that surface when someone asks the wrong question during an examination. Vendor addenda that were drafted and sent but never fully executed. An incident response plan that exists on paper but hasn’t been walked through by the people who would actually run it. A vendor oversight log that was created at onboarding and hasn’t been updated since. These are the gaps worth spending the next four weeks closing.
Run a tabletop exercise. Walk through a realistic scenario where a vendor notifies you of unauthorized access to client data, the 30-day clock starts, and the determination process needs to run, then find out where the plan breaks before an examiner does. Pull the vendor contract files and confirm every addendum is countersigned, not just sent. Review the incident log and confirm every assessed event has a documented rationale, not just a resolution.
For firms that are starting late, the goal is not a perfect program. It is a defensible one. The incident response program can be drafted this week. The vendor contract outreach can begin today. The incident log is a document or a spreadsheet that starts running the moment you create it.
The minimum viable program that will hold up under examination has three things: a written incident response procedure with named roles and specific timelines, executed vendor agreements with 72-hour breach notification language, and an incident log with documented assessments. Get those three things in place and documented before June 3. Build on them after.
What won’t work: waiting until the final week to begin, then producing a program that was clearly assembled under deadline pressure rather than operated throughout the compliance period. Examiners read the metadata as much as the documents.
The Maintenance Layer Large Advisers Missed
The firms that had the most difficult December examinations were not the ones that built inadequate programs. Several had strong programs, with thorough documentation, updated vendor contracts, and functional incident response plans. What broke was the maintenance layer.
Reg S-P compliance isn’t a deadline deliverable that stays current on its own. Vendors get added. Data handling practices change. Staff turnover means the person listed as the breach response coordinator in December isn’t the same person in June. The program that was accurate when it was filed drifts from reality if nobody is actively maintaining it.
For smaller advisers building toward June 3, this is worth thinking about now rather than after the deadline. The oversight work that needs to run continuously, including periodic vendor reviews, updated incident logs, annual policy reviews, and ongoing staff training, is easier to build as a habit from the start than to retrofit onto a static document six months later.
The firms that come out of Reg S-P examinations cleanly in 2026 and 2027 won’t be the ones with the most comprehensive programs at the point of the deadline. They’ll be the ones whose programs kept running after it.
Smartria’s Vendor Oversight Dashboard, incident response documentation, and Reg S-P Compliance Tracker give firms the infrastructure to build toward June 3 and keep running past it without managing every piece manually. If you’re closing the final gaps or building the maintenance layer, [we can help you get there before the deadline.]
