The compliance deadline for smaller investment advisers and broker-dealers under the SEC's amended Regulation S-P arrived June 3, per the National Law Review's overview. The amendments, adopted by the SEC in May 2024, require covered institutions to maintain written incident-response policies, notify affected individuals within 30 days of a breach involving sensitive customer information, and document detection and recovery procedures. Larger firms hit the same bar on December 3, 2025.
The scope is specifically "covered institutions" under the Investment Advisers Act and the Securities Exchange Act, which means SEC-registered RIAs, broker-dealers, transfer agents, and registered investment companies. State-registered advisers, family offices, and unregistered private funds are not directly covered, although many will adopt parallel policies as a matter of insurance underwriting. The smaller-firm cohort tagged this month (under $1.5 billion in advised assets for RIAs) is exactly the population least likely to have a written incident-response policy already in place, which is what SEC examiners will probe first.
The operationally meaningful change is the 30-day individual notice requirement. State-level notification windows have typically run 45 or 60 days, which left firms room to investigate scope before triggering disclosure. The federal 30-day clock starts when the firm "becomes aware" of unauthorized access, even before the full scope of the breach is established. Firms that have not built and tested a notification workflow will surface that gap the first time an incident hits.
Bottom Line
If you run a small RIA or broker-dealer and have not tested your incident-response and notice workflow, the SEC's first exam cycle for this rule starts now. The 30-day clock running before forensics finish is where most firms will discover the gap.