Small Firms: Practical Advice on Reg S-P Amendments

By Craig Moreshead, Managing Director

On January 22, 2026, the SEC conducted a practical and informative compliance outreach for small firms related to the upcoming Regulation SP amendments. The outreach included a recap of the key new Reg SP requirements as well as a highly useful mock exam workflow highlighting Reg SP exam expectations for small firms.

Recap of Key New Reg SP Requirements

On May 15, 2024, the Securities and Exchange Commission adopted amendments to Regulation S-P, the regulation that governs the treatment of nonpublic personal information about consumers by certain financial institutions. The amendments require registered investment advisers to develop an incident response program for unauthorized access to or use of customer information, including customer notification procedures. The compliance date for small to mid-size firms (less than $1.5 billion AUM) is June 3, 2026.

Customer Notification: One of the most impactful new requirements will be the 30-day customer notification requirement. After becoming aware that unauthorized access or use of customer information is likely to have occurred, an adviser will be required to provide notice to customers within 30 days unless a reasonable investigation has affirmatively determined that substantial harm or inconvenience to clients is not likely to result from the use of sensitive customer information.

Service Provider Oversight & Notification: Where a service provider to the adviser receives, maintains, processes, or otherwise is permitted access to the adviser’s customer information, then the adviser has oversight responsibility under Regulation SP for the protection against unauthorized access to or use of customer information in relation to that service provider. The adviser must verify i) that the service provider has adequate systems, processes, and procedures in place to protect against unauthorized access to or use of customer information, and ii) that the service provider will notify the adviser no later than 72 hours after becoming aware of unauthorized access to customer information.

Other Reg SP Changes: The adviser’s Incident Response Program must include procedures to assess the nature and scope of any incident and to take appropriate steps to contain and control the incident to prevent further unauthorized access or use. The amendments apply the protections of the safeguards rule and the disposal rule to “customer information”, a newly defined term. The amendments also broaden the group of customers protected under Reg SP. The amendments require the maintenance of books and records documenting compliance with the new requirements. The amendments also codify a statutory exception to the annual privacy notice delivery requirement, provided the adviser i) only provides non-public personal information to non-affiliated third parties when an exception to third-party opt-out applies, and ii) has not changed its policies and practices with regard to disclosing non-public personal information from its most recent disclosure sent to customers.

Reg SP Exam Workflow

A Reg SP examination conducted by the SEC will include the following four phases: 1) Risk Assessment, 2) Initial Document Request, 3) Interviews, and 4) Staff Observations.

Risk Assessment: Prior to reaching out to the firm, the SEC will conduct a risk assessment based on a review of public websites, historical exams, active exams, regulatory filings, and any tips or complaints received.

Initial Document Request: After conducting the preliminary risk assessment, the SEC will deliver to the firm an initial document request. Requested documents will typically include:

• Policies and Procedures Addressing Administrative, Technical, and Physical Safeguards for the Protection of Customer Information

• Information Technology Managed Service Provider Contract

• Organization Charts

• Risk Assessments Related to Technology/Cybersecurity Risk, Controls, Threats, Vulnerabilities

• Incident Response Plan and List of Responsible Staff

• List of Tools That Facilitate Detection and Monitoring of the Firm’s Network Environment

• Documentation Confirming Monitoring of Information Systems, Networks, and Personnel Activity to Detect Incidents

• Documentation of Incident Response to Any Security Incidents

Interviews: After the initial document production, the SEC will request interviews of firm personnel with knowledge and responsibilities pertaining to information security. Advisers should expect that the SEC will want to interview the firm’s chief compliance officer, chief technology officer, chief information officer, and any outsourced IT staff. Interviews will typically be conducted at the firm’s office.

Staff Observations: After reviewing documents and conducting interviews, the SEC will typically provide a written summary of observations relating to the firm’s compliance with Regulation SP.