Regulation S-P Amendments: Implementation and Key Compliance Considerations for Small Firms

The SEC’s 2024 amendments to Regulation S-P expand safeguarding and privacy requirements for broker-dealers, investment advisers, and transfer agents. Small firms have until June 3, 2026 to comply, which includes adopting enhanced policies, incident response programs, and timely customer breach notifications.  

Small firms face new operational challenges that need planning, vendor coordination, and policy updates. The SEC has issued a small firm advisory that provides guidance, some of which is discussed below.

1. Compliance Date and Implementation Timeline

Effective Date

The amendments became effective August 2, 2024.

Compliance Date

Small firms have until June 3, 2026, to comply.  The compliance date for larger firms (more than $1.5 billion or more in assets under management) was December 3, 2025.

2. Required Amendments to Policies and Procedures

The amended rule requires firms to develop, adopt, and maintain written policies and procedures reasonably designed to:

Safeguard Customer Information

• Protect against unauthorized access to customer records.
• Ensure secure disposal of customer information.
• Address risks associated with remote work, mobile devices, and cloud environments.

Address Oversight of Service Providers

• Establish due diligence standards for vendors with access to customer data.
• Require contractual assurances of data protection.
• Monitor vendor compliance on an ongoing basis.

Create an Incident Response Program

Firms must adopt a written incident response program that includes:

• Detection and assessment of unauthorized access.
• Containment and mitigation steps.
• Procedures for notifying affected individuals.

3. Customer Breach Notification

If a breach is likely to cause substantial harm or inconvenience, firms must take these actions:

• Notify affected individuals "as soon as practicable," but no later than 30 days after determining that a breach occurred.
• Provide clear, plain language disclosures describing the incident and recommended protective steps.

4. Policy and Procedure Considerations for Small Firms

Small firms should tailor their approach to their size, complexity, and technology environment. Key considerations include:

Performing a Risk Assessment

• Identify systems that store or transmit customer information.
• Evaluate vulnerabilities in email, CRM systems, trading platforms, and cloud storage.
• Document risk mitigation strategies and update them annually.

Access Controls Implementation

• Implement role‑based access.
• Require multifactor authentication for systems containing customer data.
• Review access rights periodically.

Employee Training

• Provide annual cybersecurity and privacy training.
• Include phishing awareness, secure data handling, and incident reporting protocols.

Record-Keeping

• Maintain documentation of policies, vendor assessments, incident response actions, and breach notifications.
• Ensure retention schedules align with SEC requirements.

5. Vendor Management and Data Mapping Requirements

The amendments emphasize that firms remain responsible for safeguarding customer information even when handled by third‑party vendors.

Vendor Oversight Elements

• Initial due diligence: Evaluate vendor cybersecurity controls, SOC reports, certifications, and incident response capabilities.
• Contractual requirements: Include confidentiality obligations, breach notification timelines, and rights to audit or request security documentation.
• Ongoing monitoring: Conduct periodic reviews, questionnaires, or attestations.

Data Mapping

To comply with safeguarding and breach notification requirements, firms should maintain a clear understanding of:

• What customer information do you collect?
• Where is your data stored (systems, applications, cloud providers).
• Who has access to your data (employees, vendors, affiliates).
• How data flows across your systems and vendors.

A simple data mapping inventory is often sufficient for small firms, provided it is accurate and updated annually.

6. Incident Response Program Expectations

An effective incident response program must include:

Planning and Preparation

• Assign roles and responsibilities (internal and external).
• Maintain contact lists for internal teams, vendors, and regulators.
• Establish communication templates for breach notifications.

Detection and Assessment

• Implement monitoring tools or vendor alerts.
• Define criteria for determining whether unauthorized access occurred.
• Document the assessment process.

Containment and Mitigation (Response Plan)

• Isolate affected systems.
• Reset credentials or disable compromised accounts.
• Coordinate with vendors or IT providers.

Notification (know your obligations)

• Notify affected individuals within the required time frame.
• Include details on the nature of the breach, data involved, and recommended protective steps.
• Maintain records of notifications and remediation actions.

Conclusion

The Regulation S‑P amendments represent a significant shift in regulatory expectations for small firms, particularly around vendor oversight, data governance, and incident response readiness. As the regulatory deadline approaches, now is the time to take steps to ensure compliance. Small firms should begin by updating written policies, conducting a data mapping exercise, reviewing vendor contracts, and establishing a structured incident response program.

If you need help implementing Regulation S-P changes, please contact the author of this article. CF Compliance Consulting Group can help with data mapping, policy creation, response development, and vendor due diligence for Regulation S-P.