The June 3, 2026 deadline marks the second and final compliance phase for the amended U.S. Securities and Exchange Commission (SEC) Regulation S-P, the federal privacy rule governing how broker-dealers, investment advisers and other financial institutions handle nonpublic personal information. Larger entities passed their own deadline on December 3, 2025 and smaller entities now face the same obligations — written incident response programs, customer breach notification within 30 days, service provider oversight and expanded recordkeeping requirements.
For registered investment advisers (RIAs) with less than $1.5 billion in assets under management, smaller broker-dealers, smaller investment companies, funding portals and certain transfer agents, the rule reaches further than the original 2000 version of Regulation S-P. The 2024 amendments introduce a federal minimum standard for data breach notification, codify a vendor management framework and — through a redefinition of “customer information” — extend the rule to registered investment advisers that previously fell outside its scope, including those that advise only private funds.
Continue reading below to discover what your financial service firm needs in place after June 3 to comply with S-P:
Smaller Entities Must Comply with S-P by June 3, 2026
The 2024 amended rule applies to all “covered institutions,” a category that includes broker-dealers, funding portals, investment companies, investment advisers registered with the SEC and transfer agents registered with the SEC or another appropriate regulatory agency. The June 3, 2026 deadline for this amendment applies to “smaller entities” within those categories, including:
- RIAs with less than $1.5 billion in assets under management
- Investment companies with less than $1 billion in net assets
- Broker-dealers below the larger-entity capital threshold defined in the SEC’s final rule
- Funding portals
- Transfer agents not meeting the larger-entity tier
The expanded scope also captures investment advisers that advise solely private funds. Under the previous version of Regulation S-P, those firms typically did not have natural-person “customers” of their own and so were outside the rule. The amended definition of “customer information” now covers nonpublic personal information belonging to a customer of another financial institution — meaning a limited partner in a private fund advised by the firm now falls within the rule’s reach.
Regulation S-P Written Incident Response Program
Every covered institution must develop, implement and maintain written policies and procedures that include an incident response program reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information. The program must include procedures for three distinct phases. Assessment requires the firm to evaluate the nature and scope of any incident and identify which customer information systems and data categories were affected. Containment and control requires steps to limit further unauthorized access. Notification requires alerting affected individuals when sensitive customer information was or is reasonably likely to have been, accessed without authorization.
The notification “clock” starts when the firm becomes aware that unauthorized access has occurred or is reasonably likely to have occurred — not when the investigation concludes. Notice to affected individuals must be provided as soon as practicable and no later than 30 days from that awareness trigger. The only basis for delay is a written determination from the U.S. Attorney General that notice would pose a substantial risk to national security or public safety. A firm that determines, after a reasonable investigation, that the information has not been and is not reasonably likely to be used in a way causing substantial harm or inconvenience may forgo notice — though that determination itself must be documented.
Service Provider Oversight and the 72-Hour Notice Rule
The amendments impose new requirements for how covered institutions oversee third parties with access to customer information. Written policies and procedures must be reasonably designed to require oversight of service providers through both initial due diligence and ongoing monitoring. The policies must ensure that service providers take appropriate measures to protect customer information and notify the covered institution as soon as possible, but no later than 72 hours, after becoming aware of a breach affecting a customer information system the provider maintains.
The SEC has suggested that a covered institution can satisfy this requirement through a contractual representation from each service provider, though the rule does not strictly mandate written contracts. Where contractual commitments are not feasible, independent certifications, attestations or other reasonable assurances may suffice. A covered institution can also delegate the customer notification task to a service provider by written agreement, but the ultimate responsibility for ensuring notice is provided remains with the covered entity.
Recordkeeping Requirements
Covered institutions must make and maintain written records documenting compliance. The required records include the written policies and procedures themselves, documentation of any detected unauthorized access and the response to it, the basis for any determination that notification was not required, written documentation from the U.S. Attorney General related to any delayed notification, service provider oversight policies and agreements and policies addressing the proper disposal of customer and consumer information.
Retention periods range from three to six years depending on the covered entity type. Registered investment advisers must retain records for five years from the end of the fiscal year of the last entry, with the first two years in an easily accessible location. Investment companies retain records for six years with the first two years easily accessible. Broker-dealers and transfer agents each must retain records for three years.
Disposal Rule and Annual Privacy Notice Changes
The amendments align the Safeguarding and Disposal rules, so both now also cover customer information as well as consumer information, closing a gap that previously left some categories of nonpublic personally identifiable information (PII) outside the disposal requirement. Covered institutions must maintain written policies and procedures addressing how customer and consumer information is properly disposed of to protect against unauthorized access or use.
The amendments also codify an exception to the annual privacy notice requirement. A covered institution is not required to deliver an annual privacy notice if it shares nonpublic personal information with nonaffiliated third parties only under existing exceptions to the opt-out and notice requirements and has not changed its privacy policies and practices since the most recent notice was provided. Firms relying on the exception should confirm that both conditions remain satisfied before forgoing the annual notice.
SEC Examination Priority for 2026
The SEC Division of Examinations published its fiscal year 2026 examination priorities in late 2025 and identified Regulation S-P compliance as a focus area. Firms that have not completed the policy updates, vendor oversight framework and recordkeeping infrastructure by June 3 face the prospect of examination findings tied directly to the new requirements. FINRA has reinforced the same message for broker-dealer member firms, both in its 2026 Annual Regulatory Oversight Report and in cybersecurity advisories issued in late 2025.
The practical takeaway is that the deadline functions as the floor, not the target. Firms that treat June 3 as a project milestone — written policies signed off, service provider agreements amended, incident response procedures tested through a tabletop exercise, recordkeeping schedules updated — are in a stronger position for an examination than firms that meet the technical requirements without operational follow-through.
Prepare for SEC Regulation S-P with SWK Technologies
Meeting the June 3, 2026 deadline is largely a documentation and operational exercise that includes having written policies, oversight procedures, incident response plans and the recordkeeping processes documenting all of this in place; however, it also inherently requires having a cybersecurity program to document in the first place. If your firm needs to assess the viability of your existing security controls – or worse, building them from scratch – SWK Technologies will help you determine what you need to meet compliance for SEC Regulation S-P and other requirements.
Contact SWK here to learn more about our cybersecurity assessment and discover how we can help your team scale compliance efforts for changing data security regulations.