Regulation S-P 2026 IT Security Implementations for RIA: Must comply by June 3rd, 2026
1. Privacy Notices
Firms must provide customers with clear notices explaining:
- What personal information is collected
- How it is used and shared
- Whether it is disclosed to non-affiliated third parties
- The customer’s right to opt out of certain information sharing arrangements
2. Safeguards Rule
Organizations must maintain written policies and procedures designed to:
- Protect the confidentiality of customer information
- Prevent unauthorized access
- Protect against anticipated threats and hazards
- Ensure administrative, technical, and physical security controls are in place
3. Disposal Rule
Customer information and consumer report information must be securely destroyed when no longer needed, preventing unauthorized access during disposal.
Major 2024 Amendments
The SEC significantly strengthened Regulation S-P in 2024 to address modern cybersecurity threats. The amendments require covered firms to:
- Implement a written incident response program
- Detect, respond to, and recover from data breaches
- Notify affected individuals when sensitive customer information is compromised
- Maintain detailed compliance records
- Oversee service providers that handle customer data
- Expand protections to additional categories of customer information and transfer agents
