Reg S-P · Guide

Reg S-P in plain English

The SEC rewrote the customer-data rulebook in 2024. Here's what it actually asks of you — without the citations and cross-references.

Securidigm · June 2026 · ~6 min read

Regulation S-P has governed how SEC-registered firms handle customer information since 2000. In May 2024 the SEC amended it substantially, and as of June 3, 2026 the amendments are in force for every covered firm — large and small. If you're a registered adviser, broker-dealer, fund, or transfer agent, this is now the baseline an examiner expects to see.

Who's covered

The rule applies to "covered institutions": broker-dealers, SEC-registered investment advisers, investment companies (funds), and transfer agents. The 2024 amendments widened the net — most notably, transfer agents are now squarely included, and the definition of the information you must protect was broadened.

The four things it now requires

1. A written incident-response program

You must have a documented program, built into your written policies and procedures, designed to detect, respond to, and recover from unauthorized access to or use of customer information. "We'd figure it out" is no longer a defensible answer — the plan has to exist on paper, before an incident.

2. A 30-day customer-notification rule

If sensitive customer information was — or was reasonably likely to have been — accessed or used without authorization, you must notify affected individuals as soon as practicable, and no later than 30 days after becoming aware of the incident. The notice has to tell people what happened and what they can do about it. This is the change with teeth: it puts a clock on every incident.

3. Service-provider oversight

You're responsible for the vendors who touch your customers' data. The rule expects you to take reasonable steps to ensure service providers protect that information and notify you promptly — generally within 72 hours — if they suffer a breach, so your own 30-day clock can start on time.

4. Recordkeeping

You have to document the program and keep records showing it operates — the assessments, the policies, the notifications. If it isn't written down, from an examiner's perspective it didn't happen.

What changed about "sensitive information"

The amendments expanded what counts as protectable customer information and clarified that it includes information you receive about another institution's customers. The practical effect: more of your data is in scope than under the old rule.

The deadlines (now behind us)

Compliance was phased by size. Larger entities — funds with $1B+ in net assets, advisers with $1.5B+ in AUM, and broker-dealers and transfer agents that aren't "small" — had until December 3, 2025. Everyone else had until June 3, 2026. Both dates have passed, so the question is no longer "when," it's "can you show it."

What "good" looks like

A written incident-response plan that names who decides whether an event is notifiable, and how the 30-day clock is tracked.
A vendor register that records who holds customer data and whether their contract includes a prompt (72-hour) breach-notification clause.
An inventory of where sensitive customer information actually lives.
Evidence — dated assessments, test results, and training records — that the program runs, not just exists.

Note

This is a plain-language overview, not legal advice. Regulatory applicability and the exact wording of your obligations should be confirmed against the current rule text with your counsel.

Not sure you'd pass?

A Securidigm assessment maps your controls straight onto the Reg S-P requirements and shows you exactly where the gaps are — with the registers, the clock, and the documents built.

Request a confidential conversation →

Securidigm provides advisory cybersecurity services and prepares draft documents. It does not provide an audit, a certification, or legal advice. This article is general information, not advice for your situation, and no outcome is guaranteed.