Smaller broker-dealers, investment advisers, investment companies, and transfer agents are running out of time to align their privacy and data security programs with the amended…
Smaller broker-dealers, investment advisers, investment companies, and transfer agents are running out of time to align their privacy and data security programs with the amended requirements of SEC Regulation S-P. The compliance deadline for these smaller entities under the 2024 amendments arrives on June 3, 2026, leaving only a narrow window to finalize policies, train personnel, and operationalize new safeguards. Firms that have not yet completed implementation should treat the remaining days as a final opportunity to close gaps before SEC examination and enforcement staff begin assessing compliance.
At the center of the amended rule is the obligation to adopt a written incident response program. Covered firms must be able to detect, respond to, and recover from unauthorized access to or use of customer information, and they must document those procedures in a manner that can withstand regulatory scrutiny. The program should reflect the firm's particular size, complexity, and risk profile, and it should integrate with existing cybersecurity, vendor management, and business continuity frameworks rather than sit alongside them as a standalone exercise.
The amendments also impose a customer notification requirement that will be new territory for many smaller advisers and broker-dealers. Following a data breach involving sensitive customer information, covered firms must provide notification within 30 days, subject to the conditions set out in the rule. Operationalizing this obligation requires clear escalation paths, predefined notification templates, coordinated legal and communications workflows, and reliable means of reaching affected individuals on a compressed timeline.
In addition to incident response and notification, the amendments update the existing safeguards and disposal rules. Firms should revisit their administrative, technical, and physical safeguards, refresh their records disposal practices, and confirm that service provider arrangements include appropriate contractual protections and oversight mechanisms. Board reporting, training programs, and internal testing should be updated to reflect the amended standards so that the program is not only on paper but also embedded in day-to-day operations.
Given the proximity of the deadline and the breadth of the amended requirements, firms with any open items should prioritize remediation now to reduce enforcement exposure.
This alert is provided for general informational purposes only and does not constitute legal advice. Clients should consult counsel for advice tailored to their specific facts and circumstances.