By: Aleksandar Vulovic, Chief Information Security Officer
Reg S-P: An operational readiness test for US investment managers
The SEC’s Regulation S‑P – Privacy of Consumer Financial Information and Safeguarding Customer Information is often discussed through the lens of cybersecurity and data privacy. While those elements are clearly central, the SEC’s amended rule represents something broader and more consequential for US investment managers: a shift in how firms are expected to organize, evidence and execute their operational response to risk.
As the June 2026 compliance deadline approaches, Reg S-P will increasingly expose how well firms have aligned their data, workflows and governance models around incident response and customer information protection. For many organizations, the challenge will not be the absence of policies but the ability to demonstrate that those policies work in practice.
What the SEC is really asking firms to prove
The amended Reg S-P introduces more prescriptive expectations around written information security policies, incident response planning, breach notification timelines, vendor oversight and long-term record retention. Taken together, these requirements signal a clear shift in regulatory posture.
The SEC is no longer focused solely on whether firms have considered cybersecurity risks in principle. Its amendments to Regulation S‑P are designed to ensure that firms can demonstrate, not merely assert, their ability to protect customer information and respond effectively to incidents.
Documentation is not ancillary under Regulation S‑P, it is a control in its own right. Firms must be able to reconstruct decisions, actions, and communications taken during and after an incident.
The SEC is asking firms to evidence preparedness – to show that incident response plans are documented, tested and actionable; that vendor relationships are governed and monitored; and that decisions, actions and communications can be reconstructed months or years after an event.
In short, Reg S-P moves firms from intent to proof.
Where Regulation S‑P tests firms in practice
In practice, many firms discover that Reg S-P readiness is constrained by operational realities rather than regulatory interpretation. Common pressure points include fragmented data spread across multiple systems, incident response plans that exist as static documents rather than embedded workflows, and unclear ownership when responsibilities span IT, compliance, operations and external providers.
Manual processes remain a particular risk. When incident logs, approvals, vendor communications and remediation actions are tracked across emails, spreadsheets and disconnected tools, it becomes difficult to act quickly or demonstrate control. Under a 30-day notification requirement, even modest inefficiencies can create material exposure.
Regulation S‑P doesn’t fail firms in theory – it fails them in moments:
- When an incident spans multiple systems and ownership is unclear
- When a service provider reports a breach late or incompletely
- When teams cannot quickly determine whether sensitive customer information was involved
- When notification decisions cannot be evidenced weeks or months later.
Why getting your house in order matters now
With June 2026 approaching quickly, firms can no longer afford to treat preparation as a future exercise. Many organizations underestimate the dependencies involved. Incident readiness relies on clean, accessible data. Vendor oversight depends on consistent records and defined escalation paths. Record retention requires systems that can preserve evidence in a structured and defensible way.
These are not issues that can be resolved overnight. Firms that act now are better positioned to prioritize remediation, test their assumptions, and avoid last-minute disruption as deadlines draw closer.
What operational readiness actually looks like
Operational readiness under Reg S-P is not defined by a single control or technology. Instead, it reflects a set of characteristics that work together:
- Clear ownership across functions, with defined roles during an incident.
- Trusted data foundations that support accurate reporting and auditability.
- Repeatable, tested workflows for incident response and escalation.
- Structured vendor oversight that extends beyond contractual language.
- Documentation that can withstand regulatory and investor scrutiny.
Firms that exhibit these traits are not only better prepared for Reg S-P, but they are also more resilient to the broader operational and reputational risks that accompany data incidents.
Regulation as a catalyst, not a burden
Reg S-P should not be viewed as a narrow compliance exercise. It is a forcing function that encourages stronger operational discipline, clearer accountability and better use of data across the organization.
Firms preparing effectively for Regulation S‑P are not starting with notification templates or contracts. They are starting by clarifying ownership, simplifying data visibility, and ensuring that incident decisions can be made, and proven, under pressure.
How PBI can help
PBI works with US investment managers to strengthen the data, workflows and operational foundations that underpin regulatory readiness. From integrated data platforms to secure, managed infrastructure and practitioner-led support, we help firms move from policy to proof with confidence.
To find out more, get in touch with us or explore our solutions to see how we can support your firm.
Regulation S-P: Key Facts at a Glance
Compliance deadlines
| Firm type | Compliance deadline |
| Firms with $1.5bn+ AUM | 3 December 2025 |
| All other covered firms | 3 June 2026 |
What’s changing?
Regulation S-P places responsibility squarely with the regulated firm, not its vendors. While third-party risk remains a critical consideration, the SEC’s amendments make clear that accountability for protecting customer information and responding to incidents cannot be outsourced.
Covered institutions include broker-dealers (including funding portals), investment companies, SEC-registered investment advisers, and transfer agents.
Firm-level requirements
| Requirement | What this means in practice |
| Notice must include | Notices must include incident details, what data was involved, contact information, and guidance to help individuals protect themselves (e.g. fraud alerts, credit report steps, and FTC/usa.gov identity theft resources). |
| Written Information Security Policy (WISP) (or equivalent) | Reg S-P does not explicitly require a WISP but written policies and procedures reasonably designed to safeguard customer information. Under the Safeguards Rule, firms must have a written information security program, which includes: Administrative safeguards (policies, governance) Technical safeguards (access control, monitoring, etc.) Physical safeguards Incident response procedures Vendor/service provider oversight. In practice, most firms implement a WISP (or equivalent) to meet Reg S-P because it is the easiest way to demonstrate compliance. |
| Incident Response Plan (IRP) | Written policies and procedures must include an incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including procedures to assess the incident, contain/control it, and provide required notices. Many firms validate these procedures through tabletop exercises and operational drills. (this is a recommendation, not a Reg S‑P mandate). |
| Breach notification | With certain limited exceptions, covered institutions must provide notice as soon as practicable, but not later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, to each affected individual whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. (Notice is not required if, after a reasonable investigation, the institution determines the sensitive customer information has not been and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience.) |
| Privacy notices | Reg S‑P includes initial and annual privacy notice requirements, subject to a statutory exception in certain circumstances. |
| Record retention | Covered institutions must maintain written records evidencing compliance with the amended safeguards and disposal requirements. Applicable record‑retention periods depend on the institution type and the relevant SEC recordkeeping rules; under Regulation S‑P, certain covered institutions are required to preserve these records for not less than six years, with the first two years maintained in an easily accessible manner. |
Vendor-specific requirements
| Requirement | What this means in practice |
| Vendor breach notification | Regulation S‑P requires covered institutions to ensure that service providers notify the firm as soon as possible, and in any event no later than 72 hours, after becoming aware of a security breach resulting in unauthorized access to a customer information system maintained by the service provider. |
| Ongoing oversight | Regulation S‑P makes one point unambiguous: while incidents may occur at service providers, accountability does not transfer. Firms remain responsible for oversight, response, notification and evidence. |
