Smaller Advisers: It's Time to Comply with S-P

What Happened?

The final compliance deadline of Amended Regulation S-P (“Reg S-P”) is finally here.  For smaller entities, who manage less than $1.5B in AUM, there are less than two months until the June 3, 2026, deadline. The deadline has already passed for larger entities (Dec. 3, 2025), and the SEC has made it clear through a series of webinars, including one specifically aimed at smaller firms, that this new requirement is a priority. The 2026 Examination Priorities even named Amended Reg S-P as a focus area for examinations, and one of the few enforcement actions in 2025 was based on failures under the prior version of Reg S-P. Transparency has been a goal of the SEC under Chairman Atkins, and the SEC appears to be completely transparent here: firms must be compliant with Amended Reg S-P by the deadline.

---

Requirements

The Amendments to Reg S-P treat Registered Investment Advisers (“RIAs”) as “covered institutions” under the rule. At a high level, covered institutions must adopt the following:

• Comprehensive Vendor Management Program
• Incident Response Program
• Customer Notification Requirement
• Expansion of Safeguards and Disposal Rules (including written records)

For more on Amended Reg S-P’s requirements, view our detailed flash report here.

---

Key Challenges with Compliance

Fairview recently joined Tracy Soehle, Associate General Counsel, of the Investment Adviser Association for a webinar on some of the most challenging aspects of Amended Reg S-P. These are also some of the most time-consuming aspects for compliance programs. If you are still preparing, you may want to consider these as you make a plan:

Understanding Customer and Sensitive Information 

Amended Reg S-P is focused on customer information, which is very broad—and broader than some advisers may realize. Customer information refers to any record containing nonpublic personal information about a consumer, who is a customer of your firm, OR a customer of any other institution where the information has been shared with your firm.

Make sure to map out the location of both customer and sensitive information.

72-Hour Notification Requirement

Service providers unfamiliar with or unsympathetic to the requirements of covered institutions might make no effort to help a covered institution meet this requirement. They may not be unwilling to amend their contract to provide notice within the 72-hour period.

Document all efforts made to ensure service providers will send notice to you within 72-hours of a breach. While you cannot control what each service provider will do, you will want to be able to demonstrate to SEC examiners that you have made every effort to meet this requirement.

Data Mapping and Risk Identification

Data mapping was not in the final rule, but the SEC has made clear through its webinars that thorough data mapping and risk identification are best practices. According to SEC examiners, some proof of a risk assessment will be requested in exams focused on Amended Reg S-P.

Advisers should be sure to complete these exercises to gain a complete understanding of the systems in use and the types of information systems touch. This helps firms gain a better understanding of where data resides. Advisers can turn to common frameworks like NIST and the CIS benchmarks to help guide these exercises.

Adopting and Implementing Policies and Procedures

Although firms may have related policies and procedures already in place, “incident response” has been used as a synonym for business continuity and disaster recovery prior to Amended Reg S-P. Existing Incident Response Plans and Vendor Due Diligence policies related to prior rules will no longer suffice under these new requirements.

All written policies and procedures must be updated for Amended Reg S-P.

Documentation and Recordkeeping

Amended Reg S-P’s recordkeeping requirements range from written policies and procedures to documentation of investigations and determinations regarding whether customer notification is needed for a given incident. The challenge is getting all of it completed every single time it is required.

Train personnel and test your procedures to ensure documentation is created and maintained. Implement your policies and procedures to capture these records and test this activity to make sure your compliance program is adequate and effective.

Understanding Private Fund Requirements

Private Funds themselves are excluded from Amended Reg S-P. However, Managers of Private Funds that are Registered Investment Advisers are in scope as Registered Investment Advisers. Like any covered Institution, if the firm collects or receives customer information of their customers or any institution’s customers, then that customer information is in scope for Amended Reg S-P.

If you have natural persons as investors in private funds, such as individuals that are limited partners in a fund, you’ll need to comply with Amended Reg S-P for all the customer information you receive about them.

Coordinating with IT Providers

IT Providers can be invaluable when it comes to having the technical expertise needed when facing an incident. However, some IT providers may have an incomplete understanding of “customer information” and the nuances of Amended Reg S-P. In practice, many are treating incident response through the lens of general data security, rather than aligning incident response to the specifics of the new rule.

IT Providers are excellent at understanding data flows and could be a great resource to work through data mapping and risk identification.  But most will need guidance in meeting the additional requirements unique to covered institutions under Amended Reg S-P.

What does this mean for me?

If you are not ready to comply with Amended Reg S-P, we recommend that you work swiftly to become compliant between now and June 3, 2026. These new requirements can be very time-consuming, call for technical understanding, and demand coordination with your service providers. Our team of SEC cyber experts provides full support for all aspects of Amended Reg S-P. If you have questions or need support, let us know.