What is SEC Regulation S-P?

SEC Regulation S-P (the Safeguards Rule) requires SEC-registered investment advisers and broker-dealers to adopt written policies and procedures to protect customer information. The SEC amended the rule in May 2024 to add incident response requirements, breach notification obligations, and stricter vendor oversight.

When is the Reg S-P compliance deadline for small RIAs?

Small RIAs (under $1.5 billion AUM) must comply by June 3, 2026. Large entities (over $1.5 billion AUM) had an earlier deadline of December 3, 2025.

What does Reg S-P require RIAs to have?

The amended Reg S-P requires five things: (1) a written incident response program to detect, respond to, and recover from unauthorized access to customer information, (2) notification to affected customers within 30 days of discovering a breach, (3) contracts requiring vendors to notify you within 72 hours of a breach, (4) written vendor oversight policies and due diligence procedures, and (5) retention of all compliance records for at least 5 years.

Do solo RIAs need to comply with Reg S-P?

Yes. Every SEC-registered investment adviser must comply with Reg S-P, regardless of firm size. The SEC gave smaller firms (under $1.5B AUM) an extended deadline of June 3, 2026, but the requirements are the same.

What is the difference between Reg S-P and Reg S-ID?

Regulation S-P covers the safeguarding of customer information and breach notification. Regulation S-ID (the Identity Theft Red Flags Rule) requires firms to detect, prevent, and mitigate identity theft. They are separate rules with separate requirements, but both are SEC examination priorities for 2026.

June 3, 2026 deadline for RIAs under $1.5B AUM

SEC Reg S-P compliance for RIAs who want to be ready, not scrambling

Q: How much does Reg S-P compliance cost?

It varies. Generic templates run $0-$300 but SEC examiners can spot them. Full legal counsel costs $8,000-$15,000+. BlackSheep starts at $249/month and gives you the platform to build, track, and maintain your compliance program yourself, with templates that match what regulators expect.

The amended Safeguards Rule now requires a written incident response program, breach notification procedures, vendor oversight policies, and 5 years of recordkeeping. BlackSheep maps each requirement and tracks where you stand, so you know before the examiner does.

Start Free Trial See what's required

$249/month · All features included · No credit card to start

June 3, 2026

Compliance deadline for RIAs under $1.5B AUM

New requirements added by the 2024 amendments

30 days

Maximum time to notify customers after a breach

What the amended Reg S-P actually requires

Five things. All mandatory. Here's what each one means and how BlackSheep handles it.

1. Written incident response program

What the SEC expects

You need written policies and procedures to detect, respond to, and recover from unauthorized access to customer information. Not a template you downloaded. An actual program that fits your firm.

How BlackSheep handles it

BlackSheep has a structured incident response module with workflow tracking. Log incidents, assign response steps, document the investigation, and record the outcome. Everything is in one place when the examiner asks.

2. 30-day customer breach notification

What the SEC expects

If you discover unauthorized access to sensitive customer information, you have 30 days to notify affected individuals. Unless your investigation determines they're not reasonably likely to be harmed. That call has to be documented too.

How BlackSheep handles it

BlackSheep starts the 30-day clock when you log an incident. It prompts you to document the harm assessment, tracks if notification is required, and creates a record of the incident.

3. 72-hour vendor breach notification

What the SEC expects

Your contracts with service providers who access customer data must require them to notify you within 72 hours of discovering a breach. If your existing vendor agreements don't include this language, they need to be updated.

How BlackSheep handles it

BlackSheep's vendor module shows which vendors access customer data, whether their contracts include the 72-hour clause, and when their last review was. Vendors missing the clause get flagged.

4. Vendor oversight policies and due diligence

What the SEC expects

You need written policies for selecting and monitoring every service provider that touches customer information. Annual assessments, documented due diligence, actual oversight. A vendor spreadsheet won't cut it.

How BlackSheep handles it

Track every vendor, their risk level, contract status, and assessment history. BlackSheep reminds you when reviews are due and tracks any security or business continuity incidents with the vendor record.

5. Five-year recordkeeping

What the SEC expects

All compliance records must be retained for at least 5 years and be readily accessible for the first 2. That includes your policies, incident logs, vendor assessments, training records, and breach determinations.

How BlackSheep handles it

Everything you do in BlackSheep is retained automatically with timestamps, user attribution, and version history. Export a full audit package whenever you need one.

Deep dives

How to build an incident response plan The 72-hour vendor notification rule What the June 2026 deadline means for your firm What Reg S-P compliance actually costs Reg S-P vs. Reg S-ID: understanding both

Reg S-P compliance checklist

Where does your firm stand? Here's what the SEC expects to see when they show up.

Incident Response Program

Written incident response policies and procedures
Designated incident response team or individual
Procedures to detect unauthorized access
Procedures to respond and contain incidents
Procedures to recover and restore operations
Documented testing of your incident response plan

Breach Notification

30-day customer notification procedure
Pre-drafted notification templates
Documented harm assessment process
Records of breach determinations (including non-notifications)

Vendor Oversight

Inventory of all service providers with customer data access
Written vendor selection and due diligence procedures
72-hour breach notification clause in all vendor contracts
Annual vendor risk assessments
Ongoing monitoring of vendor compliance

Recordkeeping

5-year retention of all compliance records
Records accessible within first 2 years
Version history of all policies and procedures
Audit trail of compliance activities

Privacy

Updated privacy notice reflecting current data practices
Customer opt-out procedures (if sharing with non-affiliates)

Not sure how many of these you can check off? BlackSheep shows you in about 10 minutes.

Start Free Trial

Does this apply to my firm?

Yes, you need to comply if:

You're registered with the SEC as an investment adviser
You're a solo RIA (firm size doesn't matter)
You have any AUM under management
You use any third party service providers
You store or access customer information electronically

This doesn't apply if:

You're only state-registered (not SEC-registered)
You're an exempt reporting adviser (ERA)

That said, state regulators often adopt similar requirements. NYDFS 500 already has its own cybersecurity rules for NY-licensed firms.

The timeline

Where we are and what's coming.

May 2024

SEC adopts amendments to Regulation S-P

August 2024

Amendments become effective

December 3, 2025

Compliance deadline for large entities ($1.5B+ AUM)

January 2026

SEC hosts hybrid event for small firms on Reg S-P

March 2026

You are here. 10 weeks left.

June 3, 2026

Compliance deadline for smaller entities (under $1.5B AUM)

Post-June 2026

SEC examination sweeps for newly compliant smaller firms

Common questions about Reg S-P

How much does Reg S-P compliance cost?

Depends on how you do it. Generic templates are free or close to it, but SEC examiners can tell when you downloaded your incident response plan. Full legal counsel runs $8,000 to $15,000+. BlackSheep costs $249/month and gives you the platform to build and maintain your program, with templates that match what regulators want to see. Full cost breakdown

Do solo RIAs really need all of this?

Yes. The SEC gave smaller firms more time (June 2026 vs December 2025), but the requirements are the same. A solo practitioner needs the same written incident response program, vendor oversight policies, and breach notification procedures as a 50-person firm. The scope of each document scales with firm size, but skipping them isn't an option.

What's the difference between Reg S-P and Reg S-ID?

Reg S-P is about protecting customer information: safeguards, breach notification, vendor oversight. Reg S-ID is about detecting and preventing identity theft (the "Red Flags Rule"). They're separate regulations with separate requirements. Both are SEC examination priorities for 2026. See the full comparison

What happens if we don't comply by June 3?

The SEC has been clear that Reg S-P and cybersecurity are examination priorities for 2026. Expect exam sweeps after the deadline. Deficiencies can lead to risk alerts, deficiency letters, and enforcement actions. The SEC has already brought cases against firms with weak cybersecurity programs.

We already have an incident response plan. Is that enough?

Maybe. The amended rule requires specific procedures for detection, response, recovery, and customer notification. It also requires documented testing. If your IRP was written before the 2024 amendments, it probably doesn't cover the 30-day customer notification requirement or the 72-hour vendor notification clause. What a compliant IRP looks like

What about our vendors? Do we need to renegotiate every contract?

Any vendor that has access to customer information needs a contract with a 72-hour breach notification clause. If your existing agreements don't include that language, yes, they need to be updated. BlackSheep tracks which vendors have the clause and which don't, so you know who to follow up with. The 72-hour rule explained

Reg S-P isn't the only framework on the board

If your firm operates in multiple jurisdictions or wants a stronger cybersecurity baseline, these are worth knowing.

NYDFS 500 Cybersecurity Regulation NIST Cybersecurity Framework DOL EBSA Cybersecurity Guidance FINRA Cybersecurity Checklist

The SEC Reg S-P deadline is June 3, 2026. That's about 2 months away.

Consultants charge $25,000–$50,000 to get you compliant. BlackSheep costs $249/month and comes with templates and guided workflows already built. See where your gaps are in 30 minutes.

No implementation project. No consultants. Set up in an afternoon, not a quarter.

Start Free Trial

30-day money-back guarantee. If it doesn't save you time in the first month, you pay nothing.