55 Days Until Reg S-P: What Your RIA Needs to Do Right Now

What happens on June 3

On June 3, 2026, the SEC's amended Regulation S-P rules take full effect for investment advisers registered with the Commission. After that date, SEC examiners can — and will — examine your firm against the new requirements. This is not a suggestion or a best-practice recommendation. It is a regulatory obligation with examination and enforcement behind it.

The amended rule significantly expands what was already required under the original Reg S-P (the "Safeguards Rule"). The original rule required firms to have written policies for protecting customer information. The amendment adds specific requirements for incident response, breach notification, vendor oversight, and documentation that most firms have never addressed.

If you have been treating this as a "we'll get to it" item, the window for that approach has closed.

What you need in place by June 3

The amended Reg S-P requires registered investment advisers to have the following documented and operational — not drafted, not planned, but in place:

A written incident response program

This is the headline addition. Your firm must have a written program designed to detect, respond to, and recover from unauthorized access to or use of customer information. The program must include specific procedures for:

• Assessing the nature and scope of any incident involving customer information
• Containing and controlling the incident to prevent further unauthorized access
• Notifying affected individuals when warranted
• Notifying the SEC and other relevant authorities as applicable

A generic incident response template pulled from the internet will not satisfy this. The program must be tailored to your firm's systems, data flows, and operational reality. If you use a custodian like Schwab or Fidelity, your IR plan needs to account for how breaches involving custodial data are handled. If you use a cloud portfolio management system, your IR plan must address that vendor's role in incident notification.

Documented safeguards for customer information

Your written information security program must include administrative, technical, and physical safeguards appropriate to the size and complexity of your firm. This means:

• Administrative safeguards: designated security personnel, employee training, risk assessments, vendor management policies
• Technical safeguards: access controls, encryption, monitoring, multi-factor authentication, endpoint protection
• Physical safeguards: facility access controls, workstation security, device disposal procedures

Vendor notification clauses

If a service provider experiences a breach involving your customers' information, you are still responsible for notifying those customers. The amended rule requires firms to have contractual provisions with service providers that ensure the firm is notified of any breach. Review your vendor agreements. If they do not include breach notification obligations running to your firm, you need to amend them before June 3.

Breach notification procedures

You must be able to notify affected individuals "as soon as reasonably practicable" but no later than 30 days after becoming aware that unauthorized access to their information has occurred or is reasonably likely to have occurred. Your notification must include specific information: the nature of the incident, the data involved, and contact information for your firm. You need templates, processes, and contact lists ready before an incident happens — not after.

The typical timeline with a consultant

If you hire a compliance consultant or cybersecurity firm to build this program from scratch, here is what the engagement typically looks like:

• Week 1-2: Scoping, engagement letter, kickoff meetings
• Week 3-4: Security assessment and gap analysis
• Week 5-6: Policy drafting (WISP, IR plan, vendor management)
• Week 7-8: Vendor contract review and amendment
• Week 9-10: Testing, tabletop exercises, staff training
• Week 11-12: Final documentation, gap closure, evidence compilation

Total timeline: 2-3 months. Total cost: $15,000-$30,000 for a small to mid-size RIA. And that assumes the consultant has availability right now, which — with every RIA in the country facing the same deadline — is not a safe assumption.

You do not have 2-3 months. You have 55 days. Even if you started a consulting engagement today, you would be finishing the assessment phase around the time the deadline hits.

The BlackSheep timeline: 1 week

BlackSheep was built for exactly this scenario. The platform includes RIA-specific policy templates, automated security scanning, guided incident response planning, and organized evidence documentation — all mapped to Reg S-P requirements.

Firms typically complete their full compliance program within 5-7 business days. Not because corners are cut, but because the templates are pre-built for RIA-specific workflows, the scanning is automated, and the documentation framework is already organized around what examiners actually ask for.

The cost is $249 per month. That is less than 2% of what most consulting engagements charge for the same deliverables.

Your 4-week countdown plan

You have roughly 8 weeks until June 3. Here is how to use them, even starting today:

Week 1: Scan and policies

• Run a security scan of your firm's external-facing infrastructure — website, email, DNS, SSL configurations
• Complete your Written Information Security Program (WISP) using RIA-specific templates
• Document your current safeguards — what you already have in place for access controls, encryption, MFA, and endpoint protection
• Identify gaps between your current state and Reg S-P requirements

Week 2: Incident response plan and vendor review

• Build your written incident response program with procedures for detection, containment, assessment, and notification
• Create breach notification templates that meet the 30-day notification requirement
• Inventory your service providers and review contracts for breach notification clauses
• Flag vendor agreements that need amendment and begin outreach

Week 3: Testing and documentation

• Run a tabletop exercise — walk through a simulated breach scenario with your team to validate the IR plan
• Document employee training on security policies and incident reporting
• Compile your evidence binder: policies, scan results, training records, vendor agreements, IR procedures
• Verify all documentation is dated, versioned, and stored where you can produce it for examiners

Week 4: Gap closure and evidence

• Remediate any critical findings from your security scan
• Follow up on vendor contract amendments still outstanding
• Do a final walkthrough of your program against the amended Reg S-P checklist
• Ensure your designated security person can explain the program, its components, and where everything is documented

That still leaves you 4 weeks of buffer before June 3. Use it for refinement, not panic.

What happens if you are not ready

There are three levels of consequences, and they compound:

Deficiency findings

The SEC's examination program will be looking at Reg S-P compliance. If examiners find that you lack a written IR program, have no documented safeguards, or cannot produce evidence of your compliance efforts, you will receive a deficiency letter. Deficiency letters require a written response and remediation within a specified timeframe. They also go on your examination record and can influence the frequency and scope of future exams.

Enforcement risk

Significant gaps — especially if combined with an actual breach — can escalate from examination findings to enforcement referrals. The SEC has been increasing cybersecurity enforcement actions since 2023. A firm that experiences a breach without a written IR program in place is a straightforward enforcement target.

Client notification failures

This is the practical risk that matters most. If a breach occurs and you do not have notification procedures in place, you cannot notify clients within the required 30-day window. Late or botched notifications damage client trust, create legal liability, and generate the kind of public attention that no RIA wants. The regulation exists because the consequences of a breach without a response plan are significantly worse than the consequences of a breach with one.

The bottom line

June 3 is not moving. The consulting backlog is real. The requirements are specific and documented. If you have not started your Reg S-P compliance program, you are behind — but you are not out of time. You need to stop planning and start building this week.