Legacy Core™

Regulatory context

Financial Advisers (Small RIAs)

SEC-registered investment advisers managing under $1.5 billion AUM

Binding framework

Amended SEC Regulation S-P (adopted May 15, 2024; small-entity compliance June 3, 2026)

As of June 3, 2026, every SEC-registered investment adviser — regardless of size — must maintain a written incident response program and notify affected clients within 30 days of a qualifying data breach.

Key obligations (summary)

  • Written incident response program covering detection, response, and recovery
  • Notify affected clients within 30 days of discovering a breach of sensitive customer information
  • Service provider oversight with 72-hour vendor incident reporting requirements
  • Five-year retention of incidents, investigations, notifications, and IRP documentation

How Legacy Core fits

Legacy Core provides a public readiness credential and Standards Release record. It does not satisfy Reg S-P books-and-records obligations or substitute for SEC examination readiness.

Do not claim

  • · Legacy Core credential equals Reg S-P compliance
  • · Published per-violation SEC fine for Reg S-P (not found)

Primary sources

Confidence: HIGH. Last reviewed 2026-07-13.

Boundary

What a Legacy Core credential does not attest to

A Trust Badge documents demonstrated readiness against a dated Standards Release (assessment basis: NIST CSF 2.0 and CIS Controls v8). It is not a substitute for industry-specific legal or regulatory obligations.

  • FTC Safeguards Rule or WISP compliance (CPAs / tax preparers)
  • HIPAA compliance or OCR audit readiness (medical / dental)
  • ABA or State Bar ethics sign-off (attorneys)
  • SEC Regulation S-P compliance (investment advisers)
  • NAIC Insurance Data Security Model Law (including in California — not adopted)
  • CCPA cybersecurity audit certification (threshold-gated regulation)
  • Cyber insurance approval or claim guarantee
  • Penetration test, SOC 2, CMMC, or government endorsement

Legacy Core is aligned with NIST CSF 2.0 and CIS Controls v8. Legacy Core is not affiliated with, endorsed by, or accredited by NIST, CIS, or any government agency. Tracking a framework does not constitute a determination of legal or regulatory compliance.

Industry-specific obligations by vertical: Regulatory context guides

Financial Advisers (Small RIAs) — Regulatory Context | Legacy Core | Legacy Core