The amended SEC Regulation S-P is now fully in force for every covered firm. It requires a written incident response program, customer notification within 30 days of discovering a breach of sensitive customer information, oversight of service providers, and recordkeeping to prove all of it. Larger entities had to comply by December 2025; smaller entities by June 3, 2026. The SEC has named Reg S-P an examination priority, which means the question is no longer whether your program exists on paper but whether it works on a clock.
What does the amended Reg S-P actually require?
Four things, in plain language. First, a written incident response program: documented, adopted, and specific to your firm, covering how you detect, assess, contain, and recover from unauthorized access to customer information. Second, customer notification within 30 days of becoming aware that sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Third, service provider oversight: if a vendor touches customer information, you need reasonable assurance they will protect it and tell you when something goes wrong. Fourth, recordkeeping: evidence that the program exists and that you followed it.
Why is the 30-day clock harder than it sounds?
Because the clock starts at discovery, not at the end of your investigation. Thirty days must cover confirming what happened, determining whose information was involved, deciding what the notice says, and getting it out the door. Firms that have never rehearsed this discover that each step takes longer than expected: logs are incomplete, the vendor is slow to answer, nobody is sure who approves the notice.
Detection is the hidden half of the problem. If an incident sits unnoticed for weeks, your practical response window shrinks before the clock officially starts. Around-the-clock monitoring and disciplined alerting, the core of a real cybersecurity and compliance program, are what make a 30-day commitment achievable rather than aspirational.
What does service provider oversight mean for your IT vendor?
It means your IT provider is now part of your regulatory posture. You are expected to have reasonable oversight of vendors that handle customer information, including arrangements for them to notify you promptly when an incident touches your data, because their delay becomes your violation. Ask your provider two questions in writing: how quickly will you tell us about an incident affecting our data, and what evidence do you maintain that we could hand to an examiner? A provider who cannot answer crisply is a finding waiting to happen. This is a core part of how we run IT for financial services firms.
What should your firm verify right now?
Five checks, none of which require a consultant to start. One: the incident response program is written, current, and names actual people, not titles that no longer exist. Two: someone has run a tabletop exercise against the 30-day clock in the last year. Three: your customer information inventory is accurate enough to determine, quickly, whose data an incident touched. Four: every vendor with access to customer information has notification obligations in the contract. Five: the records you would show an examiner exist today, not after a scramble.
If any of those checks fails, that is your starting list. With Reg S-P named an exam priority, the firms that treat this as an operating discipline rather than a document will be the ones that come through an exam, or an incident, without drama.
