For smaller firms subject to the SEC’s amended Regulation S-P requirements, the June 3, 2026, compliance deadline is now just weeks away. 

Smaller entities, including RIAs with less than $1.5 billion in assets under management, will soon be required to comply with expanded expectations around safeguarding customer information, incident response procedures, vendor oversight, and recordkeeping. 

As firms finalize their preparations, now is the time to identify any remaining gaps and ensure processes are documented, operational, and understood internally. 

What’s Changing Under the Amended Rule? 

The updated Regulation S-P requirements are designed to strengthen how financial firms protect customer information and respond to data security events. 

While larger firms have already reached their compliance deadline, smaller entities must now comply by June 3, 2026. 

The amendments introduce several major expectations, including: 

  • Written incident response programs 
  • Procedures for detecting and responding to unauthorized access 
  • Customer notification requirements following certain breaches 
  • Expanded oversight of third-party service providers 
  • Additional recordkeeping obligations 
  • Enhanced safeguards for customer information 

The SEC has also made clear that cybersecurity preparedness and operational resiliency remain examination priorities. Firms should expect regulators to look beyond whether policies exist and focus more heavily on whether procedures are actionable, documented, and consistently followed. 

What Small Firms Should Be Doing Right Now 

With the deadline approaching, firms should focus on practical action items that help close any remaining gaps. 

Review and Update Written Policies  

Policies should reflect the amended requirements, including how the firm: 

  • Detects and responds to incidents 
  • Escalates cybersecurity events internally 
  • Determines whether customer notification is required 
  • Documents response efforts 

Firms should also ensure procedures are specific to their operations and realistic for employees to follow. 

Evaluate Incident Response Readiness 

One of the most important questions firms should ask is simple: 

“If an incident happened tomorrow, would we know exactly what to do?” 

Firms should identify: 

  • Who is responsible for incident escalation 
  • How incidents are documented 
  • Who communicates with vendors 
  • How customer notifications would be handled 
  • What records must be retained 

Even firms outsourcing IT support remain responsible for their response procedures. 

Review Vendor Oversight 

The amendments place additional emphasis on service providers and third parties that handle customer information. 

Firms should review: 

  • Existing vendor agreements 
  • Cybersecurity expectations and responsibilities 
  • Breach notification timelines 
  • Whether vendors maintain appropriate safeguards 

For many smaller firms, this may require conversations with outside IT or technology providers that may not have happened formally before. 

Document Everything 

One of the biggest risks for firms is assuming that “doing the work” is enough on its own. Regulators will likely expect firms to show evidence of policy updates, vendor reviews, training, oversight efforts, and incident response planning. If actions are not documented, firms may struggle to demonstrate compliance during examinations. 

Final Steps Before the Deadline 

As the compliance date approaches, firms should be using this final stretch to review remaining gaps, confirm procedures are operational, and ensure documentation is in place. 

The firms in the strongest position heading into June are not necessarily the ones with the largest compliance departments. They are the firms actively reviewing procedures, identifying gaps, documenting decisions, and preparing employees now.