imadethisup.org Retain →
BUSINESS · 2026-06-15

Reg S-P's new baseline for smaller firms

The SEC's amended privacy rule has quietly become a cybersecurity rule. As of June 3, 2026, even the smallest advisers and broker-dealers must run a written incident-response program, notify breached customers on a clock, and police their vendors — the same hygiene that blunts AI-enabled fraud.

~ 6 min read · BUSINESS LAW

For a quarter century, Regulation S-P was the SEC's quiet privacy rule. Adopted in 2000 to implement the Gramm-Leach-Bliley Act, it required broker-dealers, investment companies, and registered investment advisers to mail a privacy notice and to adopt “reasonable” written safeguards for customer records.[1] Most firms treated it as a compliance formality: a policy in a binder, reviewed once a year. The 2024 amendments ended that era. Reg S-P is now, in substance, a cybersecurity rule with deadlines and teeth.

On May 16, 2024, the Commission adopted sweeping amendments to Reg S-P in Release No. 34-100155, published in the Federal Register on June 3, 2024.[2] The headline change is a federal customer-breach-notification obligation where none existed before. But the deeper shift is operational: the rule now prescribes how a firm must detect, respond to, and recover from an intrusion — and it expects documented proof, not paper intentions.

What the amendments actually require

The amended rule layers three new obligations on top of the existing safeguards and disposal requirements. First, every covered institution must maintain a written incident-response program “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information,” including procedures to assess the nature and scope of an incident and to contain it.[3]

Second — and this is the part that changes day-to-day reality — the program must include customer notification. When sensitive customer information has been, or is reasonably likely to have been, accessed or used without authorization, the firm must notify each affected individual “as soon as practicable, but not later than 30 days” after becoming aware of the incident.[3] “Sensitive customer information” is defined broadly: any information whose compromise could create a reasonably likely risk of substantial harm or inconvenience — Social Security numbers, biometric records, and account credentials being the obvious examples.[3] The notice must describe the incident, the data involved, and what the customer can do to protect themselves.

Third, the rule imposes service-provider oversight. Firms must adopt written policies to oversee their vendors through due diligence and monitoring, and to obtain assurance that a service provider will take appropriate measures and notify the firm as soon as possible, but no later than 72 hours after discovering a breach of customer information in its custody.[3] Critically, outsourcing the data does not outsource the duty: the registered firm still owns the customer-notification obligation even when the breach happens inside a vendor's systems.

Rounding out the package are recordkeeping requirements — firms must document their program, their incidents, and their service-provider oversight — and an expansion of the safeguards and disposal rules to cover a broader universe of customer information, including information a firm receives about another institution's customers.[4]

REG S-P — THE NOTIFICATION CLOCK T0 · awareness +72 hours +30 days (outer limit) Firm becomes aware trigger: unauthorized access Vendor reports breach ≤ 72 hrs to the firm Notify customers as soon as practicable Duty stays with the registered firm — even when the breach is the vendor's.
FIG. 1 — Reg S-P incident clock under Release No. 34-100155: vendor reporting within 72 hours; customer notice as soon as practicable, no later than 30 days.

Why smaller firms feel it hardest

The amendments phase in by size. Larger entities — registered advisers with $1.5 billion or more under management, and broker-dealers and fund complexes above the corresponding thresholds — had to comply by December 3, 2025. Everyone else, the “smaller entities,” had until June 3, 2026.[5] That deadline is now here, and it lands on the firms least equipped to meet it.

Larger broker-dealers have run formal incident-response playbooks for years. A two-person advisory shop typically has no in-house security team, leans on third-party custodians and SaaS vendors for nearly every core function, and has never run a tabletop exercise. The SEC declined to prescribe specific technical controls, which sounds like flexibility but functions as a burden: each firm must make risk-based judgments about what is “reasonably designed” for its size and business — and then defend those judgments to an examiner who will ask for evidence the controls actually work.

The security baseline that also stops AI fraud

It is tempting to read Reg S-P as a documentation chore. That misreads the moment. The controls the rule effectively requires — multi-factor authentication, encryption in transit and at rest, role-based access, centralized logging with secure retention, and a rehearsed response plan — are the same controls that defend against the fastest-growing threat to financial firms: AI-enabled social engineering.

Synthetic media has industrialized the impersonation attack. In one widely reported 2024 incident, an employee at the engineering firm Arup was tricked into transferring roughly $25 million after joining a video call populated entirely by deepfaked colleagues, including a fabricated chief financial officer.[6] The FBI has warned that criminals are using generative AI to clone voices and faces for exactly this kind of fraud and account takeover.[7] A wealth-management client's voice is now a trivial thing to fake; a wire-authorization “call from the founder” can be wholly synthetic.

The defenses are unglamorous and overlapping with Reg S-P's text. Out-of-band verification before moving funds defeats the deepfake call. Strong access controls and logging shrink the blast radius of stolen credentials and make the incident-response program's containment and assessment steps actually executable. A tested response plan is the difference between a 30-day notification met calmly and a scramble that misses the clock. Reg S-P, in other words, forces firms to build the muscle that synthetic-media fraud is designed to exploit.

Reg S-P in context: it is not alone

Reg S-P now rhymes with the broader federal trend. The FTC's Safeguards Rule under the same Gramm-Leach-Bliley Act was amended in 2023 to require non-banking financial institutions to notify the FTC of a breach affecting 500 or more consumers as soon as possible and no later than 30 days after discovery, effective May 2024.[8] Different regulator, different trigger, same direction: written programs, fixed clocks, documented proof. A firm that builds one defensible program is well along toward satisfying the others — and toward surviving an examination cycle in which examiners now expect operational compliance, not intent.

What to do in the time that remains

For firms that started early, the work now is closing gaps, stress-testing the incident-response plan through a tabletop, and assembling an exam-ready documentation package. For firms that have not started, the priority is blunt: begin. Inventory and classify customer data, paper the vendor relationships with breach-notification obligations, stand up MFA and encryption, turn on logging you can actually retrieve, and write — then rehearse — the response plan. The deadline arrives whether the binder is ready or not.

The durable lesson is the one this project keeps returning to: in an era where a voice, a face, or a video can be conjured on demand, the firms that survive are the ones that can prove what happened and respond on a clock — not the ones merely asked to trust what they see. For more on defending against synthetic-media fraud, see the War Room.

Sources

  1. [1]
    Regulation S-P: Privacy of Consumer Financial Information, 17 CFR Part 248, implementing the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801 et seq.).ecfr.gov
  2. [2]
    SEC, “Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information,” final rule, Release No. 34-100155 (May 16, 2024); 89 Fed. Reg. 47688 (June 3, 2024).federalregister.gov
  3. [3]
    SEC. “SEC Adopts Rule Amendments to Reg S-P to Enhance Protection of Customer Information” (incident-response program; notice “as soon as practicable, but not later than 30 days”; sensitive-customer-information definition; service-provider oversight and 72-hour notification).sec.gov
  4. [4]
    SEC, “Enhancements to Regulation S-P: A Small Entity Compliance Guide” (recordkeeping; expanded safeguards and disposal coverage).sec.gov
  5. [5]
    FINRA, “Cybersecurity Advisory — SEC Amends Regulation S-P” (compliance dates: larger entities Dec. 3, 2025; smaller entities June 3, 2026; size thresholds).finra.org
  6. [6]
    “Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’” (Arup). CNN, 4 Feb. 2024.cnn.com
  7. [7]
    FBI, “Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud” (Public Service Announcement I-120324-PSA, 3 Dec. 2024).ic3.gov
  8. [8]
    FTC, “Standards for Safeguarding Customer Information,” amended Safeguards Rule under the Gramm-Leach-Bliley Act, breach-notification requirement (500+ consumers; FTC notice no later than 30 days), effective May 13, 2024.ftc.gov
More

From compliance to resilience.