Legacy Core Trust Brief
SEC Reg S-P: Small RIAs Had a June 3 Compliance Deadline
As of June 3, 2026, SEC-registered investment advisers under $1.5B AUM must maintain a written incident response program and notify clients within 30 days of a qualifying breach. This Trust Signal is to document your IRP — not just draft it.
- Regulation
- Small Business Risk
Most relevant to: Financial Advisers, Professional Services
What Changed
Amended SEC Regulation S-P (adopted May 15, 2024) required smaller registered investment advisers to comply by June 3, 2026 — including a written incident response program, 30-day client notification, vendor incident reporting, and five-year record retention.
Why It Matters for Small Businesses
Regulators and clients increasingly expect documented response programs, not informal plans. Firms that cannot produce IRP documentation face examination and enforcement risk separate from any cyber incident.
What To Do This Month
- Confirm your written incident response program is adopted, dated, and assigned to a responsible owner.
- Document how you will notify affected clients within 30 days of discovering a qualifying breach.
- Require service providers to report security incidents within 72 hours in written contracts.
- Retain incident records, investigations, and notifications for at least five years.
- Review whether your readiness evidence is organized enough for an SEC examination.
Legacy Core Trust Tip
Legacy Core credentials documented readiness — not Reg S-P compliance. Use Bronze to establish a verifiable baseline, then work with an Alliance Partner on the evidence Silver and Gold require.