SEC Reg S-P Deadline June 2026: What Smaller RIAs Need to Do Now
The amended Safeguards Rule takes effect June 3, 2026 for smaller RIAs. Here's the Reg S-P Readiness Checklist for firms under $1.5B, mapped to the specific systems — Redtail, Wealthbox, Schwab, eMoney, DocuSign — that the rule touches.
June 3, 2026 is 33 days from today.
That's the compliance deadline for smaller RIAs under the SEC's amended Reg S-P — the Safeguards Rule governing how registered investment advisers protect client financial data. The amendment, adopted in May 2023 with a staggered compliance timeline, gave larger advisers until August 2024. Smaller advisers — those with less than $1.5 billion in AUM — have until June 3, 2026.
For most advisors, June feels distant in May. It isn't. Vendor response timelines, document drafting, and access control audits take longer than most firms estimate. Here's what the rule actually requires, where smaller RIAs typically have gaps, and the specific system-by-system work that needs to happen before June 3rd.
What Reg S-P Actually Requires
The amended rule has four operative requirements for covered RIAs:
1. Written Incident Response Program. You must have a documented, written plan for detecting, responding to, and recovering from unauthorized access to client data. This includes a 30-day client notification requirement when client data is exposed or potentially exposed in a breach. The clock starts at detection — not at resolution.
2. Vendor Service Provider Oversight. If you share client data with a service provider — which every RIA does, across CRM, custodian, and financial planning platforms — you must have reasonable contract provisions requiring those providers to implement appropriate safeguards and notify you promptly if they experience a breach affecting your client data.
3. Written Policies and Procedures. Your information security policies must be documented, reflect actual practice, and include the incident response program as a component.
4. Annual Review. The information security program must be reviewed at least annually, with results documented and reported to senior management or the principal executive officer.
What the rule does not require: a specific technology stack, third-party security audits, SOC 2 certification for your firm, or penetration testing. The requirement is documented controls, vendor contract provisions, and a working incident response plan.
The Reg S-P Readiness Checklist for Smaller RIAs
This checklist maps each requirement to the specific action items most firms under 150 households need to complete before June 3rd. Work through it in order.
Pillar 1: Incident Response Program
- Written breach response plan exists — names who is responsible at the firm, what steps are taken upon detection, how the 30-day client notification requirement is met
- Detection method is defined — who monitors for unauthorized access, what counts as a reportable incident, where vendor breach notifications are received and logged
- Client notification template drafted — the message sent to affected clients within 30 days of detecting a breach
- State law cross-check complete — some state breach notification laws have shorter windows than 30 days; your plan must address the more restrictive requirement
- Plan has been tested — a documented tabletop walkthrough of what happens if Redtail, Wealthbox, or a custodian notifies you of a data incident involving your clients
Pillar 2: Vendor Oversight
- Vendor inventory documented — a written list of all service providers who receive, store, or transmit client PII (CRM, custodian portals, financial planning software, document signing platforms, email providers, reporting tools)
- Data processing agreements reviewed — confirmed that agreements with each vendor include a provision requiring them to notify you of a breach affecting your client data; flagged and addressed agreements that don't
- Security documentation obtained — SOC 2 report or equivalent documentation requested and filed for each vendor on your inventory
Vendor-by-vendor reference for common RIA platforms:
| Vendor | DPA Available | Breach Notification Clause | Security Documentation |
|---|---|---|---|
| Redtail | Yes — in service agreement | Yes — customer notification within 72 hours of detection | SOC 2 Type II available on request |
| Wealthbox | Yes — Data Processing Agreement available on request | Yes | SOC 2 Type II available |
| Schwab Advisor Services | Yes — covered in Adviser Agreement | Yes — custodian-level notification protocol | SSAE 18 / SOC 1 available |
| Fidelity Institutional | Yes | Yes | SOC 1 / SOC 2 available |
| eMoney Advisor | Yes — Data Privacy Addendum | Yes | SOC 2 Type II |
| DocuSign | Yes — Data Processing Agreement | Yes — Global Breach Notification provisions | ISO 27001, SOC 2 Type II |
The most common gap: firms have active accounts with all of these vendors but have never reviewed their service agreements for breach notification language. Most already include appropriate provisions — the work is confirming it's present, filing documentation, and addressing any gaps found during the review.
Pillar 3: Policies and Procedures
- Information security policy document exists — covers data classification, access controls, acceptable use, and physical security basics
- Access control policy documented — who holds admin access to each system, when access is reviewed, and how departing employees are offboarded across all platforms
- Employee training policy documented — what training is required on data handling, how often, and how completion is recorded
- Incident response program integrated — the written breach response plan is referenced in or attached to the information security policy
Pillar 4: Annual Review
- Review process defined — who conducts it, when it occurs, and what would trigger an off-cycle review
- Documentation format established — what the annual review produces (memo, completed checklist, management report)
- First review scheduled — for most firms completing this for the first time, the initial build and the first annual review occur simultaneously; document accordingly
Where Most Smaller RIAs Have Gaps
Based on workflow and compliance reviews with RIA firms preparing for this deadline, three gaps appear consistently:
Gap 1: No written incident response plan. Most smaller RIAs have informal understandings of what they'd do in a breach scenario, but nothing written. This is the single most important document to create — it's the core of the Reg S-P requirement and the first thing SEC examiners will ask for.
Gap 2: Vendor agreements unreviewed. Firms have service agreements with Redtail, Schwab, eMoney, and DocuSign, but no one has confirmed each agreement contains an appropriate breach notification clause. Most do — but confirmed is what compliance requires, and confirming takes time when vendor response queues are slow.
Gap 3: Orphaned access not revoked. The access control requirement surfaces a problem most firms don't realize they have: former employees who retain access to CRM or custodian portals beyond their departure date. The policy requirement makes this visible and actionable.
Timeline for the Next 33 Days
Week 1 (Now — May 8):
- Build your vendor inventory — every platform that touches client PII
- Pull service agreements for each vendor; locate and document the breach notification clause
Week 2 (May 9–15):
- Draft the written incident response plan
- Request SOC 2 or equivalent security documentation from any vendor that hasn't provided it
- Begin access control audit — current staff access to CRM and custodian portals
Week 3 (May 16–22):
- Complete the information security policy document
- Finalize access control audit; revoke any orphaned access
- Document employee training plan and schedule the initial training session
Week 4 (May 23–June 2):
- Complete and document the first annual review
- File all vendor DPAs with breach notification clauses confirmed
- Final pass through the Reg S-P Readiness Checklist above
June 3: Compliance deadline.
Frequently Asked Questions
Does Reg S-P apply to all RIAs?
The amended Reg S-P applies to SEC-registered investment advisers. State-registered advisers are subject to state-level equivalents — most states have adopted substantially similar frameworks — but the June 3, 2026 deadline specifically applies to SEC-registered advisers with less than $1.5B in AUM. If you're uncertain whether the SEC or a state regulator oversees your firm, confirm before June 3rd.
Do we need to hire a cybersecurity firm to comply?
Not necessarily. The rule requires reasonable written safeguards and documented vendor oversight — not third-party certification for your firm. Many smaller RIAs can complete the core compliance build with a compliance consultant handling document drafting. That said, if your firm has material gaps in actual technical controls (no MFA on CRM or email accounts, outdated software on firm devices), it's worth addressing those alongside the documentation work, since examiners may review both.
What happens if we miss the June 3rd deadline?
SEC examiners will be reviewing for Reg S-P compliance in examinations conducted after June 3rd. Deficiencies identified in examinations can result in deficiency letters, required corrective action plans, or enforcement referral for significant gaps. The compliance window has been open since 2023 for smaller RIAs. Examiners are likely to treat firms with no documented program differently than firms with a partial program that demonstrates good-faith effort.
Key Takeaways
- The SEC's amended Reg S-P takes effect June 3, 2026 for smaller RIAs (under $1.5B AUM) — 33 days from today
- Four core requirements: written incident response program (with 30-day client notification obligation), vendor service provider oversight, written policies and procedures, and annual review
- The Reg S-P Readiness Checklist covers all four pillars and maps them to specific vendor agreements: Redtail, Wealthbox, Schwab, Fidelity, eMoney, DocuSign — most already have appropriate breach notification provisions in their agreements
- Most common gaps: no written breach response plan, vendor agreements never reviewed, orphaned employee access not revoked
- Build sequence: Vendor inventory + DPA review (Week 1) → Incident response plan + security documentation (Week 2) → Policies + access audit (Week 3) → Annual review + final checklist (Week 4) → June 3 deadline
Need help completing the compliance gap analysis before June 3rd? Book a discovery call with the Systemaic team.
