Reminder: “Smaller Entities” Must Comply with Amended Regulation S-P by June 3, 2026
Reminder: “Smaller Entities” Must Comply with Amended Regulation S-P by June 3, 2026
Publish Date: 2026-05-20 19:12:00
Source Domain: www.dwt.com
“Smaller entities” subject to Regulation S-P (Reg S-P) have just three weeks remaining—by June 3, 2026—to comply with new cybersecurity and data breach-related requirements introduced by amendments to the regulation in 2024. Reg S-P applies to broker-dealers, registered investment advisers (RIAs), investment companies (funds), funding portals (crowdfunding intermediaries), and transfer agents regulated by the Securities and Exchange Commission (SEC) (collectively, covered institutions). The amendments require each covered institution to establish an incident response program, establish procedures to notify customers of certain data breaches within 30 days, oversee service providers, and maintain compliance documentation.
The SEC has identified compliance with Reg S-P as a priority for regulatory examinations in fiscal year 2026. Among other things, the SEC’s Division of Examinations will assess whether covered institutions “have developed, implemented, and maintained policies and procedures in accordance with the rule’s new provisions that address administrative, technical, and physical safeguards for the protection of customer information.”
Overview of Reg S-P
Reg S-P was first adopted by the SEC in 2000 to implement the data privacy and security provisions of the Gramm-Leach-Bliley Act (GLBA). The regulation includes various privacy-focused requirements, which are similar to those in GLBA implementing regulations issued by the Consumer Financial Protection Bureau and Federal Trade Commission for other types of financial institutions. Those privacy-focused requirements include obligations to deliver privacy notices to consumers and to provide consumers an opportunity to opt out of certain disclosures of nonpublic personal information to non-affiliated third parties.
Reg S-P also requires covered institutions to adopt policies and procedures with administrative, technical, and physical safeguards reasonably designed to protect customer…
