Regulation S-P

What the rule covers

Regulation S-P has three pillars after the 2024 amendments:

• Privacy notice — annual disclosure of the firm's information-sharing practices.
• Safeguards — written policies and procedures reasonably designed to protect customer information.
• Incident response — written program for detecting, responding to, and recovering from unauthorized access or use of customer information.

The 2024 amendments

1. Written incident response program required.
2. Customer notification within 30 days of when the firm becomes aware of unauthorized access likely to cause substantial harm.
3. Specific notification content requirements (what happened, what data, what the firm is doing).
4. Compliance dates: December 2025 for larger advisers, June 2026 for smaller advisers.

What examiners check

• The written incident response program — does it exist and is it specific to the firm?
• Tabletop exercises or other tests of the program.
• Vendor management — service providers handling customer data must be subject to oversight.
• Annual employee training on safeguards.
• Records of any incidents and the firm's response.

Common gaps

The most common deficiency in 2026 examinations: a generic policy template downloaded but never customized to the firm. Examiners read these immediately. The remediation is straightforward — review the template line by line, add firm-specific names, systems, and procedures, and run a tabletop exercise to verify it actually works.

How StratiFi thinks about Reg S-P

Cybersecurity is a discipline, not a document. The firms that hold up under examination are the ones with a written program that names specific people, specific systems, and specific decision rights — and that have run the program in a tabletop exercise. The 30-day notification clock is not a number to memorize; it is a workflow that must already exist when an incident occurs.