Ask a registered investment adviser about its cybersecurity program and you will almost certainly hear about the policies: the written procedures, the annual review and the outside counsel who drafted them. For years, that answer was sufficient, but not anymore. The SEC’s 2024 amendments to Regulation S-P (“Reg S-P”) change the question entirely, and with a compliance deadline of June 3, 2026, now just weeks away for smaller registered investment advisers, the window to get it right is closing.
The amendments introduce a standard that rewards operational readiness over documentation. The test is no longer whether a firm has written down what it would do in the event of a breach, but whether it can actually do it, on a compressed timeline, with evidence to show an examiner afterward. For investment advisers, private fund managers, chief compliance officers and the counsel who advise them, that shift in the standard is where most firms are currently falling short. The following is a practical guide to navigating the amended rule, from understanding its core requirements to the concrete steps firms can take to avoid finding themselves on the wrong side of an SEC examination.
What the Rule Was, and What It Has Become
To put the amendments in context, it helps to understand what Reg S-P was originally designed to do. It has been on the books since 2000, when it was adopted to carry out the privacy requirements of the Gramm-Leach-Bliley Act. Its original design reflected the concerns of its era: how financial institutions shared customer information with third parties, and what notice customers were owed when that information was shared. In other words, the rule was built around disclosure and opt-out obligations, not around the operational demands of managing a breach.
The 2024 amendments overhaul that framework considerably. They apply to broker-dealers, investment companies, SEC-registered investment advisers, funding portals and transfer agents. For private fund managers, the effect is a fundamental elevation of what cybersecurity compliance requires, from maintaining written policies to demonstrating that those policies function under real conditions. Larger advisers – those with $1.5 billion or more in assets under management – faced a December 3, 2025 deadline to update their framework. Now the time has come for smaller firms to do the same, and they only have until June 3, 2026, to accomplish this. For those still working through implementation, that window is not an extension; it is the finish line, and the time to act is now.
Three Requirements That Work Together
The centerpiece of the amended rule is a written incident response program, required to be reasonably designed to detect, respond to and recover from unauthorized access to customer information. What distinguishes this requirement from the prior framework is its operational specificity. For instance, the program must now include documented procedures for scoping an incident, identifying affected systems and data and taking containment steps. Put simply, it has to be a document someone can actually follow in the middle of a crisis, not a statement of general intentions, and that standard is genuinely harder to meet than it might appear.
Additionally, the amendments broaden the scope of the safeguards rule. Previously, protection was limited to a firm’s own customers. But now, the rule also covers non-public personal information received from other financial institutions about their customers. This change means advisers managing data through fund structures, custodial accounts or sub-advisory relationships must now carefully map their data environment, a level of diligence many have not previously employed.
The third pillar of the amended framework is recordkeeping. Firms affected by this new rulemaking must maintain written records documenting compliance with both the safeguards and disposal provisions, including incident documentation, investigation records and the basis for any notification determination. Together, these three obligations – incident response, expanded data scope and recordkeeping – reflect a consistent regulatory logic: the SEC has moved well past taking firms at their word on cybersecurity; the amended rule is built around demonstration, not description.
The Notification Clock
Among all the provisions introduced by the amended rule, the customer notification requirement is the piece that is most likely to keep compliance officers, and the firm’s legal counsel, up at night. When sensitive customer information is accessed or used without authorization, or when such access is reasonably likely to have occurred, advisers and other firms subject to the rule must notify affected individuals within 30 days of becoming aware of the breach. The notice must describe the incident, identify the data involved and advise affected individuals of steps they can take to protect themselves from potential fraud or identity theft.
Now, upon initial review, 30 days might sound reasonable. That is, until you find yourself in a real incident. In those cases, firms often spend the first week or two just trying to understand what happened, while simultaneously managing containment, consulting counsel and briefing leadership, which leaves little time for the notification work itself. The coordination required to move from incident awareness to customer notification, on a defined timeline with documented support, is exactly the kind of cross-functional readiness that tabletop exercises are designed to test, and firms that have not run through that exercise will find the clock unforgiving when it matters most.
Importantly, the rule does include a narrow exception that allows firms to forgo notification, but it is more limited than it might appear at first glance. It applies only where a genuine investigation concludes that the information has not been, and is not reasonably likely to be, used in a way that causes real harm to affected individuals. That said, the exception is not a pressure valve firms can reach for when notification feels inconvenient, and a firm that cannot back that conclusion up with written documentation when an examiner asks is in a far worse position than if it had simply notified affected clients in the first place.
The Problem With Vendor Risk
As if the notification requirement were not demanding enough on its own, the amended rule piles on a set of vendor oversight obligations that firms tend to seriously underestimate. Now, firms must establish and enforce written policies and procedures designed to ensure that service providers with access to customer information protect it appropriately. Those service providers, in turn, must notify the firm of any incidents within 72 hours of becoming aware of a breach. And when an incident originates with a third-party vendor, the responsibility for notifying affected customers still falls squarely on the adviser.
That last point tends to surprise firms and can be a real sticking point when it comes to effectively complying with the amended rule. Remember, a well-drafted service provider contract does not transfer the notification obligation. The adviser is still on the hook, which means the adviser’s oversight program, contractual protections and monitoring practices must be sufficient not just to govern vendors in the abstract, but to receive timely notification from them, assess the scope of what occurred and deliver customer notice, all within the overall 30-day window.
That is a demanding sequence, and most existing vendor frameworks simply were not built to support it. The data backs that up pretty clearly. For example, Verizon’s 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled year over year, reaching 30 percent of all incidents. For most advisers, that means the risk is not sitting somewhere outside the firm; it is sitting inside the systems they rely on every day. Firms that have not updated their vendor agreements, tightened their due diligence or put monitoring in place are carrying exposure that the prior rule never required them to address.
Artificial Intelligence and the Changing Attack Surface
It would be a mistake to read the Reg S-P amendments as simply a response to the threat environment of a few years ago, because that environment has continued to shift in significant ways. Artificial intelligence (“AI”) has changed the mechanics of cyberattacks in ways that bear directly on what incident response programs need to address, and on how quickly a firm can find itself in a notification scenario it was not at all prepared for in the past.
AI-enabled techniques now include highly targeted phishing campaigns, automated credential harvesting, continuous vulnerability scanning and deepfake impersonation of senior executives. More specifically, IBM’s 2025 Cost of a Data Breach Report found that 16 percent of breaches now involve AI-driven attack methods, which is a number that continues to climb. The SEC has responded within its examination framework accordingly. The Division of Examinations’ fiscal year 2026 priorities specifically identify AI-related cybersecurity risks as a focus area, with examiners directed to assess the controls firms have in place to address AI-associated threats. The agency’s Cyber and Emerging Technologies Unit, established in early 2025, has also made AI-enabled misconduct a stated priority. What this means practically for advisers updating their incident response programs under Reg S-P is straightforward: a program that does not address AI-driven attack vectors explicitly, including deepfake impersonation and AI-accelerated vendor compromise, is missing a category of risk that examiners are now actively probing. The bottom line: these have moved well past emerging risks and into standard examination territory.
What an Examination Will Look Like
The Division of Examinations has been direct about its intentions, and firms should take that seriously. Cybersecurity is a perennial examination priority, and the Reg S-P amendments have given examiners a detailed and specific framework to apply. The Division’s 2026 examination priorities name incident response programs, customer notification procedures and information safeguards as explicit focus areas, which means firms that arrive at an examination with well-drafted policies, but no evidence of operational readiness, are going to face a difficult conversation.
More specifically, examiners will ask whether the incident response program has been tested, and when. They will want to understand whether staff know their roles in an escalation scenario. They will look at data inventories to assess whether firms understand where customer information resides and who has access to it. They will review vendor contracts for the 72-hour notification provision. And, critically, they will look at the documentation trail, because that trail matters more now than ever before, given that recordkeeping is now a substantive compliance obligation in its own right, not an afterthought firms piece together once an incident is behind them.
It is also worth keeping the enforcement record in mind here, because it gives that standard real teeth. The SEC has secured penalties totaling more than $9 million in recent cybersecurity-related enforcement actions against entities that misrepresented their cybersecurity posture or made inadequate disclosures about incidents. Those cases have primarily involved public reporting companies, but the agency’s willingness to pursue enforcement when firms treat cybersecurity obligations as a formality is well established at this point. The key takeaway here is that registered advisers are not insulated from that posture and should not assume otherwise.
Where to Focus in the Time Remaining
For firms that have not yet completed their Reg S-P implementation, the path forward requires clear prioritization across a few areas that carry the most risk and require the most lead time to address properly.
First and foremost, incident response programs need to be tested before there is an actual incident. A plan that has never been walked through offers no reliable indication of whether it will actually work under pressure. Tabletop exercises that bring together legal, compliance, IT and senior management are how coordination failures and information gaps come to light in a controlled setting, rather than in the middle of an actual incident. The gaps are always there; the only question is whether a firm discovers them on its own terms in a tabletop exercise or in the middle of an actual incident.
Equally important, data mapping is foundational to the notification and vendor oversight obligations alike. The 30-day clock begins running when the firm becomes aware of an incident, and a firm that does not have a current, accurate picture of where customer data lives, which vendors hold such data and how that data flows cannot realistically meet that 30-day clock. Importantly, the same mapping exercise identifies which service providers fall within scope of the rule’s protections, which in turn drives the vendor contract review.
On the vendor side, agreements need to be audited against the new requirements. Many were negotiated before the amendments were finalized and simply do not include the 72-hour notification provision. Advisers should identify those gaps, prioritize renegotiation with vendors that have meaningful data access and document the outcome of those discussions, including any vendor resistance, which is itself relevant to the firm’s overall risk posture.
Finally, and perhaps most importantly, documentation practices need to be built and tested in advance. The amended framework treats recordkeeping as a substantive compliance obligation, not administrative housekeeping, and the processes for documenting incident investigations, notification decisions and the reasoning behind them need to be functioning before an examination. Documentation created after the fact is a fundamentally different thing from documentation created as the events actually unfold, and examiners know the difference.
The Standard Has Changed
The Reg S-P amendments represent a genuine and meaningful shift in what the SEC considers adequate cybersecurity governance for registered investment advisers. The prior framework asked firms to have policies but the amended regulations asks them to demonstrate that those policies work, that the people responsible for executing them understand what they are supposed to do and that the firm has the documentation to show how it handled the decisions it made along the way. That is a higher bar, and it is the bar examiners will be applying going forward.
That higher bar exists for a reason, and the threat environment makes that reason hard to ignore. Financial services firms reported a ransomware hit rate of 65 percent in 2024, with average recovery costs approaching $6 million per incident. Third-party breaches are rising sharply, AI-assisted attacks are compressing the timelines firms have to respond and the sophistication of both is accelerating. None of that is the SEC’s creation, of course, but the amendments are a direct response to it, and firms that continue to treat cybersecurity compliance as a documentation exercise will eventually find themselves in an examination, or worse, an incident, that makes the cost of that approach impossible to ignore.
The key message for investment advisers, their legal teams, and compliance departments is this: having a policy is not the same thing as being prepared. The SEC now emphasizes that this difference is not merely a recommended practice but a legal requirement with a strict deadline.
Reprinted with permission from the May 20, 2026 edition of the New York Law Journal© 2026 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or [email protected].