If you're the chief compliance officer at a small RIA — or more likely, the advisor who ended up with "CCO" on your business card because someone had to — you need to mark June 3, 2026 on your calendar. That's when the SEC's amended Regulation S-P becomes enforceable for smaller firms.
Larger entities (those with $1.5 billion+ in AUM) already hit their compliance date back in December 2025. Now it's your turn, and while four months might feel like plenty of time, the new requirements are more involved than you might expect.
Regulation S-P has been the SEC's data privacy and information security rule for financial firms since 2000. But the 2024 amendments represent the most significant update to the rule in over two decades. The SEC recognized that cybersecurity threats have evolved dramatically — and that the old safeguards weren't cutting it.
For small RIAs, the changes boil down to three big new obligations: a written incident response program, client notification requirements, and service provider oversight.
You now need a formal, documented plan for what happens when client data is compromised. This isn't a suggestion — it's a regulatory requirement. Your program must include procedures to:
If your current cybersecurity "plan" lives in your head or consists of "call the IT guy," that's not going to cut it anymore.
Here's the requirement that's going to cause the most anxiety: if you determine that unauthorized access to customer information occurred or is reasonably likely to have occurred, you must notify affected clients within 30 days of that determination.
That's a tight window, especially for a two-person shop juggling client meetings, portfolio management, and now incident response. The clock starts ticking once you've made the determination — which means you need to investigate quickly and thoroughly.
Most small RIAs rely heavily on third-party vendors — custodians, CRM platforms, portfolio management software, cloud storage. Under the amended rule, you need written policies ensuring that your service providers:
This means reviewing vendor contracts and, in many cases, renegotiating terms to include incident notification provisions. If your custodian or tech vendor doesn't have a 72-hour notification commitment in writing, you have a gap to close.
On top of the operational requirements, you need to maintain records of:
The SEC wants a paper trail. If you get examined and can't produce these documents, the conversation is going to go sideways quickly.
For a small firm, compliance doesn't require hiring a dedicated cybersecurity team. But it does require deliberate effort:
The SEC's 2026 examination priorities explicitly call out Regulation S-P compliance for newly registered and smaller advisors. Translation: examiners are going to be looking for this. The Division of Examinations has signaled that cybersecurity isn't an afterthought — it's a core exam area.
Small RIAs have historically flown under the radar on cybersecurity requirements. That era is ending. The amended Regulation S-P creates clear, enforceable expectations, and the June 2026 deadline gives you no room to claim you didn't know.
Keeping track of regulatory deadlines like this is exactly why we built Pulsio. Instead of scouring SEC press releases and FINRA notices, Pulsio monitors regulatory sources daily, classifies changes based on your firm's profile, and delivers plain-English impact briefs straight to your inbox. Sign up for free alerts at pulsio.ai so the next compliance deadline doesn't catch you off guard.
Sources: SEC Division of Examinations 2026 Priorities · Kroll: Navigating New Regulation S-P Amendments · FINRA Cybersecurity Advisory on Regulation S-P · Katten: New Rules for Investment Advisers