Regulation S-P Amendments: Compliance Deadline Approaching for "Smaller Entities"

The June 3, 2026, deadline for "smaller entities" to comply with the 2024 amendments to U.S. Securities and Exchange Commission (SEC) Regulation S-P is fast approaching. This Holland & Knight alert provides a brief overview of the rule amendments (the Reg. S-P Amendments) and a checklist that outlines steps that smaller entities should take prior to the June 3, 2026, compliance date, many of which will require some lead time to implement. The SEC has indicated that compliance with the Reg. S-P Amendments will be a priority in examinations conducted later this year.¹

Background

In May 2024, the SEC amended Regulation S-P for the first time in more than 20 years. First adopted in 2000 to implement the Gramm-Leach Bliley Act's privacy and security requirements, Regulation S-P governs how certain financial institutions handle and protect consumer financial data.² The rule applies to broker-dealers, funding portals, registered investment companies, SEC-registered investment advisers (RIAs),³ and, as amended, certain transfer agents (collectively, Covered Institutions).

"Larger Entities" – i.e., investment companies with more than $1 billion in assets, registered investment advisers with more than $1.5 billion in assets under management and most broker-dealers with capital of more than $500,000 – have been required to comply since December 3, 2025. All other Covered Institutions (smaller entities) must also comply beginning June 3, 2026 – less than one month away.⁴

The Reg. S-P Amendments introduce significant new obligations around incident response, breach notification and service provider oversight, as summarized below.

Incident Response Program and Breach Notification

The Reg. S-P Amendments will require Covered Institutions to establish written policies and procedures governing how the firm will detect, respond to and recover from incidents involving unauthorized access to customer data.⁵ These procedures must include methods for evaluating the scope of any security incident, determining which systems and data were affected, and implementing remedial measures.

Additionally, Covered Institutions will be required to notify affected customers as soon as practical (and not later than 30 days) when a breach involving "sensitive customer information" occurs or is reasonably likely to have occurred.⁶ The rule defines "sensitive customer information" broadly to include any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.⁷ Examples include Social Security numbers or account access credentials but also could include any other information relating to an identifiable customer, such as investment history. For example, notification is not required if a reasonable investigation determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. The notice must be clear and conspicuous and, in general, include details about the incident, the types of breached data and how affected individuals can respond to protect themselves, including information about checking account statements for suspicious activity and identity theft resources.

Service Provider Oversight

The Reg. S-P Amendments impose new requirements for how Covered Institutions oversee third parties that handle customer data.⁸ Firms must adopt written policies that are reasonably designed to require oversight of certain "service providers,"⁹ including to ensure such service providers take appropriate measures to 1) protect against unauthorized access to or use of customer information and 2) provide notification to the Covered Institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider (the 72-hour Notice Requirement).

In the Adopting Release, the SEC suggested that a Covered Institution could comply with this requirement by obtaining a contractual representation from each of its service providers to agree to comply with the 72-hour Notice Requirement; however, such approach is not strictly required. Absent that approach, the SEC suggested that a Covered Institution could obtain independent certifications and attestations from the service provider, or other reasonable assurances, that the service provider will comply with the 72-hour Notice Requirement.¹⁰ Challenges have emerged for Covered Institutions attempting to comply with this requirement, especially in seeking assurances from larger service providers that they will comply with the 72-hour Notice Requirement, which have no obligation and little incentive to agree to do so. Though industry participants are employing various approaches to demonstrate their best efforts to comply with this aspect of the Reg. S-P Amendments and SEC staff have acknowledged the challenge, no further SEC guidance has been issued to date.

Impact on Private Fund Advisers

As a result of definitional changes, the amendments will expand Reg. S-P's reach to include RIAs that advise solely private funds, which had not previously been subject to the regulation because they did not have any natural person "customers" of their own. The amendments add a newly defined term, "customer information," in place of "customer records and information." Under the old "customer records and information" definition, Reg. S-P only applied to the records and information of a customer of the financial institution (i.e., the RIA itself). Under the new definition, however, Reg. S-P will also apply to nonpublic personal information belonging to a customer of another financial institution. For example, collecting or using information from a limited partner in a private fund advised by the RIA would be subject to Reg. S-P because that limited partner would be a customer of the fund (not the RIA directly).

Other Changes

Covered Institutions must maintain records documenting compliance with various aspects of the new requirements of the Reg. S-P Amendments, including their written policies and procedures, records of incident investigations and breach determinations, service provider oversight arrangements and copies of any notifications provided to affected individuals.¹¹

The Reg. S-P Amendments codify an exception to the annual privacy notice requirement – i.e., Covered Institutions that have not changed their privacy policies since the last notice was delivered and that do not share nonpublic personal information with non-affiliates (other than under specified exceptions) may forgo sending annual privacy notices. The Reg. S-P Amendments also expand the safeguarding and disposal requirements of Regulation S-P to apply to all "customer information," which for all Covered Institutions (except transfer agents) includes both customer information in the possession of a Covered Institution in addition to customer information handled or maintained on its behalf.

Action Items

With the June 3, 2026, compliance date fast approaching, Covered Institutions that are smaller entities should consider the following action items:

• Know Your Data – Conduct a Data Mapping Exercise. Compliance starts with understanding the data the Covered Institution processes. Preparing a data map allows a Covered Institution to document 1) what categories of customer information it collects, maintains or can access, 2) where that information is stored, 3) which service providers interact with that data and 4) how data moves through the firm's infrastructure. That information can then be used to conduct risk assessments, design appropriate safeguards and otherwise address relevant compliance requirements. For example, under the new notification requirements, unauthorized access to a system that stores customer information creates a presumption that notification is required. In cases where ransomware is installed or the data residing on the system is otherwise inaccessible, a Covered Institution may not know whether its notification obligations are triggered. Conducting data mapping in advance will help the business know what systems require enhanced protections and could potentially trigger notification. Additionally, data that is no longer needed can be deleted (if it is not subject to other recordkeeping requirements), reducing the Covered Institution's overall security risk.
• Update the Firm's Policies and Procedures to Implement an Incident Response Program and Address the Scope of Regulated Data. Establish (or refine) a written incident response program that includes procedures to assess the nature and scope of any security incident involving customer information, contain and control the incident, and notify affected individuals. Ensure that the firm's policies and procedures address the other aspects of the Reg. S-P Amendments, including the customer notification requirement and other definitional changes to the rule.
• Implement Policies and Procedures for Service Provider Oversight. Develop written policies and procedures around vendor management, including onboarding, risk assessments and ongoing monitoring. Firms may find it useful to create a standardized questionnaire for service provider diligence and oversight. Where possible, include terms in or amend existing service provider agreements to address the 72-hour Notice Requirement and other protective measures. As discussed above, achieving full compliance with these requirements has proven difficult for some firms – particularly when dealing with large service providers – and creative approaches or persistent efforts may be necessary.
• Prepare Customer Notification Procedures. Create template notices and draft internal protocols so the firm can respond quickly when a breach occurs. Identify external resources the firm may need during a security incident, such as outside legal counsel and forensic investigators. Keep in mind that if the firm cannot pinpoint exactly whose data was compromised, the notification obligation extends to everyone whose sensitive customer information was stored in the affected system.
• Document Your Compliance Efforts. Retain records demonstrating compliance with the Reg. S-P Amendments, including the firm's updated policies and procedures and agreements with service providers or other due diligence materials documenting efforts to ensure compliance with the 72-hour Notice Requirement.
• Conduct Testing and Training. Offer training to employees on the Reg. S-P Amendments and updated firm policies and procedures. Consider running simulations to evaluate the firm's incident response capabilities. SEC staff have indicated that they expect Covered Institutions to maintain risk management frameworks that identify, evaluate and address data protection risks, including through periodic testing and employee education.¹² These activities can also help the firm prepare for regulatory examinations.

For questions or assistance preparing for the June 3, 2026, compliance deadline, please contact your Holland & Knight relationship attorney or the authors of this alert.

Notes

¹ See SEC Division of Examinations Fiscal Year 2026 Examination Priorities (November 2025). For registered broker-dealers, the Financial Industry Regulatory Authority (FINRA) reminded member firms of the upcoming June 3 deadline in its 2026 FINRA Annual Regulatory Oversight Report (FINRA Oversight Report) (Dec. 9, 2025).

² See Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information (Adopting Release), SEC Rel. No. IA-6604 (May 16, 2024).

³ Exempt reporting advisers and other unregistered investment advisers may, however, be subject to similar privacy rules issued by the Federal Trade Commission.

⁴ For broker-dealers, FINRA has emphasized compliance with the regulatory obligations of Reg. S-P in the context of cybersecurity and the detection and prevention of cyber-enabled fraud. See FINRA Oversight Report, SEC Compliance Outreach on Regulation S-P (September 25, 2025).

⁵ See 17 CFR § 248.30(a)(3).

⁶ See 17 CFR § 248.30(a)(4).

⁷ See 17 CFR § 248.30(d)(9).

⁸ See 17 CFR § 248.30(a)(5).

⁹ The definition of "service provider" is broad and includes any person or entity that receives, maintains, processes or otherwise is permitted access to customer information through its provision of services directly to a Covered Institution. See 17 CFR § 248.30(d)(10).

¹⁰ See Adopting Release, supra note 2, at 76.

¹¹ See 17 CFR § 248.30(c).

¹² See also FINRA Oversight Report and Small Firm Cybersecurity Checklist.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.