What Changed — and Why June 3 Is the Real Deadline
The SEC adopted amendments to Regulation S-P in May 2023, with the final rule effective December 2023. Large covered institutions — broker-dealers and investment advisers with $1.5B or more in AUM — had 18 months to comply. That put their deadline in mid-2025.
Smaller RIAs got an extended runway: 24 months from the effective date, landing on June 3, 2026. That date is not a soft target. The SEC has already issued enforcement actions under the original Reg S-P for inadequate safeguards, and the amended rule gives examiners a much more specific checklist to run through on your next exam.
If you manage client assets, custody client data in any form, or use any third-party software that touches client information, this rule applies to you — regardless of how small your firm is.
Three Things Every Small RIA Must Have in Place by June 3
(a) Written Incident Response Program
The amended rule requires a written IRP that addresses detection, containment, response, and recovery from a cybersecurity incident. "Written" is the operative word — a verbal understanding of what you'd do in a breach is not sufficient. The program must be reasonably designed for your firm's size and complexity, but it must exist as a documented policy.
At minimum, the IRP needs to define: who is responsible for declaring an incident, how you isolate affected systems, how you preserve evidence, how you communicate internally, and how you trigger the customer notification process. If your firm has no IT staff, the IRP needs to identify the external provider (that's us) who covers those functions and how they get engaged.
(b) 30-Day Customer Notification
If a breach occurs and customer information was accessed, acquired, or reasonably likely to have been accessed — clients must be notified within 30 calendar days of discovery. Not 30 business days. Calendar days.
The notification must include a description of the incident, the categories of information involved, what the firm did in response, and contact information for follow-up. You need a template drafted and a process mapped before an incident happens, not during one. Thirty days sounds like a lot until your firm is in the middle of an active incident and your attorney is asking for a draft notification on day two.
(c) Vendor and Service Provider Oversight
Any third party that receives access to customer information must be governed by a written contract that includes security standards and a breach notification obligation back to your firm. This is not optional language — the rule requires it.
That means your CRM, your portfolio management software, your cloud storage, your custodian portals, your document management system, and any other tool that stores or processes client data needs a signed agreement with security language. If you're using a vendor that won't sign one, that's a vendor risk you need to document and address.
What the SEC Is Actually Looking for in an Exam
SEC examiners don't just want to see a policy document. Based on current exam priorities and prior enforcement patterns, here is what they are likely to request:
- Your written IRP — with a version date and evidence it has been reviewed in the past 12 months
- Tabletop exercise records — documentation that you have actually walked through a simulated incident with your team or your IT provider
- Staff training records — who was trained, on what, and when
- Vendor contracts — for every third party with access to customer data, including the security and notification clauses
- Evidence of notification capability — how you would actually execute the 30-day notification, including who owns it and what template you would use
If you can't produce any one of those in the first 24 hours of an exam request, you are behind.
What Most Small RIAs Are Missing Right Now
Based on what we see when we onboard financial services clients, the gaps are consistent:
- No written IRP at all. Many small RIAs have never documented their incident response process. Some have a generic cybersecurity policy that doesn't address incident handling specifically.
- Custodian portals and portfolio tools with no security addendum. Firms access Schwab, Fidelity, or Orion daily with no signed security agreement beyond a standard user agreement. That is not sufficient under the amended rule.
- No tabletop exercise ever run. A written IRP that has never been tested is a document, not a program. The SEC wants evidence of testing.
- No BYOD policy covering personal devices that access client data. If advisers are checking their CRM or custodian portal from a personal phone or home laptop, that device is now in scope and needs to be addressed in your written program.
- No notification template or process owner. When an incident happens, someone needs to own the 30-day clock. That person, that process, and that template need to exist before you need them.
How Primetime IT Helps RIAs Meet the Technical Side of Reg S-P
Reg S-P compliance has two layers: the written program and the technical controls that back it up. Your compliance attorney handles the written program. We handle the controls — and we document everything in a format your attorney can map directly to the rule.
For RIA clients, we deploy and manage:
- MFA on every system — custodian portals, CRM, email, cloud storage, remote access
- Endpoint protection via SentinelOne on all firm-managed devices, with policy documentation for BYOD
- Encrypted, tested backups — with documented recovery time objectives your IRP can reference
- Email security — anti-phishing, anti-spoofing, and domain protection
- Vendor security review — we help you identify every third party with data access and flag which ones need a security addendum
- Tabletop exercise facilitation — we run a structured tabletop with your team and produce written documentation of the exercise for your exam file
We are not a compliance firm and we don't replace your attorney. What we do is make sure that when your attorney writes "the firm maintains MFA, encrypted backups, and endpoint protection on all systems," it's actually true — and provable.
June 3 is close. If you don't have a written IRP, vendor contracts with security language, or a tested notification process, the time to fix that is now — not after an exam notice arrives.
Book a 30-minute call. We'll review your current environment, identify your specific gaps relative to the Reg S-P requirements, and tell you exactly what needs to be in place before the deadline.