SEC Reg S-P deadline:
June 3, 2026
Every SEC-registered RIA must comply with the amended Regulation S-P by June 3, 2026. Written incident response program, breach notification procedures, vendor oversight, and five years of recordkeeping. No extensions. No exceptions.
14-day free trial. No credit card. Audit-ready in 30 days or we extend free.
SEC enforcement actions
Non-compliance leads to deficiency letters, fines, and public enforcement orders.
Exam priority
Cybersecurity is a standing SEC exam priority. Examiners are actively reviewing Reg S-P compliance.
No extensions
Large entities had a Dec 2025 deadline. Small RIAs get until June 3, 2026. There will not be a third date.
What the amended Reg S-P requires
The May 2024 amendments added teeth. Here's what your firm needs in place by June 3, 2026.
Written Incident Response Program
A documented plan for detecting, responding to, and recovering from security incidents involving customer information. Not a template sitting in a drawer. A real, tested program.
30-Day Customer Breach Notification
Notify affected customers within 30 days of discovering a breach. The clock starts ticking the moment you know. Documentation of what you sent, when, and to whom.
72-Hour Vendor Breach Notification
Service providers must notify you within 72 hours of a breach affecting your customer data. You need contractual provisions and a process to act on vendor notifications.
Vendor Oversight & Due Diligence
Written policies for selecting, monitoring, and managing service providers. Due diligence before you hire them. Ongoing monitoring after. Contractual protections.
5-Year Recordkeeping
Maintain records of your compliance activities for at least 5 years. Policies, incident logs, vendor assessments, training records, breach notifications. All of it.
Written Information Security Policies
Administrative, technical, and physical safeguards designed to protect customer records and information. Updated to reflect the 2024 amendments, not your 2019 version.
Quick check: are you ready?
If you can't check all of these, you have work to do before June 3.
Can't check them all? Most firms can't. That's exactly why BlackSheep exists.
From zero to audit-ready in 30 days
BlackSheep walks you through every requirement, step by step.
Day 1
Set up your firm and pick your frameworks
Onboarding wizard walks you through firm details and enables Reg S-P. Your dashboard populates with every requirement.
Week 1
Generate your policies from templates
Pre-written information security policy, incident response plan, vendor management policy. Customize for your firm, get sign-offs.
Week 2
Work through your controls
Mark each Reg S-P requirement as implemented, in progress, or not started. Add notes documenting how you comply. See your score climb.
Week 3
Set up vendor oversight and training
Import your vendors, conduct due diligence, ensure contractual protections. Send security training to your team.
Week 4
Run your first annual report
Generate an audit-ready compliance report. Everything documented, timestamped, and exportable. Ready for the examiner.
Free: SEC Reg S-P compliance checklist
27-point checklist covering every amended Reg S-P requirement. Know exactly where your firm stands.
No spam. Unsubscribe anytime.
49 days left
The SEC doesn't care about your timeline.
They care about June 3, 2026.
Most firms start 90 days before the deadline and scramble. You can start today and be done in 30. $249/month. Every framework. Unlimited users.
No credit card required. Audit-ready in 30 days or we extend free.