Large advisers cleared their Reg S-P deadline in December 2025. If your firm manages under $1.5 billion in AUM, your date is June 3, 2026 and the gap closes faster than it looks once you start working through what’s actually required.
The amendments touch incident response, vendor contracts, data handling, and recordkeeping. None of it is simple to retrofit, especially without a dedicated compliance team. What follows is a plain-language breakdown of what the rule requires and where smaller firms most often run into problems.
What Changed Under Amended Regulation S-P?
Reg S-P isn’t new, it’s been the baseline data protection rule for financial firms for years. What changed in 2024 was the specificity. The amendments layered in concrete operational requirements: response timelines, vendor obligations, documentation standards. For a lot of smaller RIAs, these are areas they’ve never had to formalize before.
In practice, this means: detecting and responding to unauthorized data access, notifying affected clients within 30 days of a confirmed breach, holding third-party vendors to a 72-hour breach disclosure standard, safeguarding all NPI including data received from other financial institutions, and keeping written records of breach events including incidents that were reviewed but didn’t result in notification for five years.
For most smaller RIAs, the 72-hour vendor requirement and the documentation obligations are where the heaviest lift lands. Both are worth understanding before you start building.
What Compliance Actually Looks Like
This isn’t primarily an IT problem, it’s an operational one. It pulls in your compliance function, vendor relationships, legal agreements, and client communication processes, often at the same time.
1. A Written Incident Response Program
Your firm needs a documented plan not a general policy statement, but a working procedure. Who flags a potential breach? Who makes the call on whether it triggers notification? How does a client communication get drafted and sent within 30 days? These are the questions the plan needs to answer, in writing, before an incident happens.
This is also where things break for a lot of firms: the plan needs to address incidents that were assessed and determined not to require notification. A written rationale for that call is part of the compliance record not just an absence of action. If your current response plan predates 2024, it’s worth a close read against the amended requirements.
2. Vendor Contracts
Many smaller RIAs rely on third-party providers custodians, portfolio platforms, CRM tools, cloud storage that handle client data on their behalf. Under amended Reg S-P, what those vendors do with that data is your problem.
Contracts need to require vendors to notify you within 72 hours of a breach, define their obligations around data protection and incident response, and support ongoing oversight not just a one-time review at onboarding. In practice, this means going back through existing agreements and either renegotiating or adding formal addenda. Most firms underestimate how long that process takes when vendors have their own legal review cycle.
3. Data Safeguards and Disposal
The amended rules cover all NPI your firm handles including data received from other financial institutions. You’ll need to document how that data is stored, who can access it, and how it’s disposed of when it’s no longer needed.
4. Recordkeeping
Everything material needs to be documented and retained, five years total, two years readily accessible. Breach events, client notifications, assessment rationales for non-notifiable incidents, resolution records. If your documentation currently lives across email threads and spreadsheets, this is the area that needs the most attention before June 3.
Consequences of Missing the Deadline
The SEC doesn’t scale enforcement based on firm size. Being found materially non-compliant during an exam, missing an incident response program, vendor contracts without breach clauses, gaps in recordkeeping can result in formal deficiency findings, enforcement proceedings, and mandated remediation. For firms that have experienced a breach, inadequate notification protocols carry additional exposure.
Smaller advisers sometimes assume they’re below the examination radar. That’s a riskier assumption than it used to be. Data protection has been a named SEC examination priority for several years running, and Reg S-P is now a specific focus area.
Where Most Firms Get Stuck
Most gaps come from underestimating what the rule requires and not from ignoring it.
Vendor contracts. Standard agreements rarely include explicit 72-hour breach notification language. Without it, you’re exposed even if your vendors are otherwise solid.
No documentation of non-events. If a potential breach was reviewed and didn’t trigger notification, the SEC still expects a written rationale on file. A lot of firms miss this entirely.
Treating it as a one-time build. Reg S-P requires ongoing vendor monitoring, periodic policy reviews, and documentation that stays current. Filing away an initial setup isn’t enough.
Running out of runway. Renegotiating vendor contracts, updating internal policies, training staff, and standing up recordkeeping systems all take longer in parallel especially when vendors have their own review timelines.
A Practical Compliance Roadmap
At 90 Days Out
Start with a gap assessment focused on three areas: incident response program, vendor contracts, and recordkeeping. Pull the relevant contract language from your key vendors and review it against the 72-hour standard. Identify who internally owns each piece, this is often where smaller firms realize they need outside help.
At 60 Days Out
Draft or update your Written Incident Response Program. Vendor contract revisions should start here too, don’t leave them for the 30-day window. Vendor legal teams have their own review timelines and it’s easy to lose two or three weeks waiting. Alongside that, map out what NPI you actually hold, where it originates, and how it flows through your systems. Your recordkeeping framework should also be set up now, not when you need to use it.
At 30 Days Out
Run a tabletop exercise with the staff involved in breach response. Walk the client notification process end-to-end and confirm draft templates are ready to go. Make sure all vendor contract revisions are fully executed not just in progress.
Final Week
Lock incident log formats and confirm audit documentation is complete and accessible. Verify your five-year retention setup is running. Walk through staff roles in the breach-to-notification sequence one more time. The practical test: if the SEC asked to see your program tomorrow, what could you show them?
How Smartria Helps
Most smaller firms don’t have the time or team to build this from scratch. Smartria is built to handle exactly this, tracking requirements, storing documentation, and keeping everything exam-ready in one place.
- Reg S-P Compliance Tracker: Deadlines, action items, and ownership in one view
- Prebuilt Incident Response Kits: Customizable templates for 30-day notifications and breach documentation
- Vendor Oversight Dashboard: Contracts, breach notification windows, and oversight logs in one place
- Audit-Ready Recordkeeping: Documentation compiled automatically to meet the SEC’s five-year retention standard
Whether you’re starting now or stress-testing what you’ve already built, Smartria gives smaller firms a clear path to demonstrable readiness.
The Bottom Line
June 3 is a hard deadline. The SEC has made data protection an active examination focus, and Reg S-P is now a named priority. Firms that can show a functioning incident response program, updated vendor contracts, and complete documentation will be in a stronger position than those still catching up when an examiner calls.
The work is manageable but it takes more time than it looks. Starting now is the difference.
