Financial Advisers (Small RIAs)
SEC-registered investment advisers managing under $1.5 billion AUM
Binding framework
Amended SEC Regulation S-P (adopted May 15, 2024; small-entity compliance June 3, 2026)
As of June 3, 2026, every SEC-registered investment adviser — regardless of size — must maintain a written incident response program and notify affected clients within 30 days of a qualifying data breach.
Key obligations (summary)
- Written incident response program covering detection, response, and recovery
- Notify affected clients within 30 days of discovering a breach of sensitive customer information
- Service provider oversight with 72-hour vendor incident reporting requirements
- Five-year retention of incidents, investigations, notifications, and IRP documentation
How Legacy Core fits
Legacy Core provides a public readiness credential and Standards Release record. It does not satisfy Reg S-P books-and-records obligations or substitute for SEC examination readiness.
Do not claim
- · Legacy Core credential equals Reg S-P compliance
- · Published per-violation SEC fine for Reg S-P (not found)
Primary sources
Confidence: HIGH. Last reviewed 2026-07-13.