June 3, 2026 is not a planning date. It is the enforcement date. If your firm has not updated its privacy and data safeguarding policies, you are out of compliance today
What Changed And Why It Matters
The SEC’s amended Regulation S-P governs the privacy of consumer financial information and the safeguarding of customer data. Small broker-dealers and registered investment advisers (RIAs) had two years to prepare. That runway is closed.
Large entities were required to comply by December 3, 2025. Small entities received an additional six months. That extension has now expired. Firms that have not acted face potential enforcement action, reputational damage, and severe civil liability in the event of a data breach.
Key Compliance Dates
- June 3, 2024 — Final rule published in the Federal Register
- August 2, 2024 — Technical correction effective date
- December 3, 2025 — Large entity compliance deadline (already passed)
- June 3, 2026 — Small entity compliance deadline for broker-dealers and RIAs
The 5 Pillars of the Amended Reg S-P
The 2024 amendments are the most significant overhaul of this rule since its original adoption in 2000. Here is what every small broker-dealer and RIA must now have in place.
Incident Response Program with 30-Day Notification Firms must maintain a documented incident response program. Affected individuals must be notified within 30 days of discovering a breach of sensitive customer information. This is a brand-new, strictly enforceable obligation with no precedent in prior Reg S-P guidance.
Written Safeguards and Disposal Policies The Safeguards Rule and Disposal Rule now explicitly extend to all customer information held by or on behalf of your firm. Policies must be written, adopted, and fully implemented — not documents sitting unused in a compliance folder.
Expanded Scope to All Covered Institutions The rule now expressly covers broker-dealers, investment advisers, investment companies, and transfer agents. Prior ambiguity about who is covered has been eliminated.
Third-Party Service Provider Oversight Firms must contractually require all service providers who receive customer information to implement appropriate safeguards. Your data security program must extend to every vendor and sub-processor you use.
Annual Review and Senior Management Reporting The safeguards program must be reviewed at least annually, and results must be formally reported to senior management or the board of directors.
What Your Written Information Security Program Must Include
If your existing policies predate the 2024 amendments, assume they are insufficient without a full review. A compliant program must address all of the following:
- Risk assessment — a documented, periodic evaluation of internal and external threats to customer information
- Access controls and authentication — policies governing who can access data, under what conditions, and how access is revoked
- Encryption standards — requirements for encrypting customer data both in transit and at rest
- Disposal policy — written procedures for secure destruction of electronic and physical customer records
- Incident response plan — a documented process for identifying, containing, and recovering from security incidents, including the 30-day notification trigger
- Vendor agreements — written contractual provisions requiring all third parties handling customer data to maintain appropriate safeguards
- Employee training — annual training for all staff with access to customer information, covering security policies, phishing awareness, and incident reporting
- Monitoring and testing — regular system monitoring and periodic penetration testing and vulnerability assessments
- Annual review and reporting — a formal annual review with results documented and reported to firm leadership
6 Processes Most Small Firms Still Need to Build
Even firms with legacy privacy policies likely have gaps in these six areas:
- Breach detection and triage — a documented internal process for detecting and escalating suspected incidents before the 30-day clock starts
- Customer notification templates — pre-drafted letters for breach scenarios, reviewed by counsel, so your window isn’t consumed by drafting under pressure
- Vendor inventory and contract review — a complete inventory of all third parties with access to customer data, with contracts updated to include required safeguard provisions
- Annual program review calendar — a scheduled review cycle with assigned owners and a reporting template for senior management
- Disposal verification log — a record of when and how customer information was destroyed, for use in exams and investigations
- Privacy notice update — a review of your annual privacy notice to ensure it accurately reflects current data-sharing practices
Who This Applies To
- Small broker-dealers
- Registered investment advisers (RIAs)
- Investment companies
- Transfer agents
- Any covered institution under 17 CFR Parts 270 and 275
The Bottom Line
The deadline is June 3, 2026. Firms that have not acted are exposed to examination findings, enforcement action, and civil liability. Review your policies, assess your gaps, and consult qualified securities counsel regarding your firm’s specific obligations.
If you would like to talk through where your firm stands, MCG Consulting is here to help.
