For years, the Securities and Exchange Commission's Regulation S-P lived quietly in the background of most firms' compliance manuals. It was the rule about safeguarding customer records and properly disposing of consumer report information, and beyond an annual policy refresh, it rarely demanded much active attention. That era is over. The amended Reg S-P transforms a largely static safeguards obligation into an operational program that firms must build, test, and stand ready to execute under pressure. For smaller broker-dealers and registered investment advisers, the change is significant: the obligations are now much closer to those long faced by the largest institutions, but the resources to meet them are not.
From Safeguards Policy to Incident-Response Program
The core of the amendment is the requirement to develop, implement, and maintain a written incident-response program. A policy that says the firm "will protect customer data" is no longer enough. The program must be designed to detect, respond to, and recover from unauthorized access to or use of customer information. In practice, that means defining how an incident is identified, who is responsible for assessing it, what steps are taken to contain it, and how the firm restores normal operations afterward.
Smaller firms often assume this is the domain of large IT departments. It is not. The rule applies regardless of firm size, and examiners will expect to see a program that fits the firm's actual systems and risks. A two-person advisory shop that stores client data in a cloud platform still needs a documented plan for what happens when that platform reports suspicious access. The program does not have to be elaborate, but it has to be real, written down, and capable of being followed by the people who will actually be on the phone at 9 p.m. when something goes wrong.
The New Customer Notification Duty
Perhaps the most consequential change is the affirmative obligation to notify affected individuals when their sensitive customer information has been, or is reasonably likely to have been, accessed or used without authorization. This shifts firms from a discretionary posture to a defined duty. When a covered incident occurs, the firm must determine which individuals are affected and provide notice describing the incident, the type of information involved, and steps the individuals can take to protect themselves.
The discipline this requires should not be underestimated. To notify the right people with accurate information, a firm must already know what data it holds, where that data lives, and which records a given incident touched. Many smaller firms discover during an actual breach that they cannot quickly answer those questions. The notification requirement therefore works backward into everyday data governance: firms that maintain a clear inventory of sensitive information and a workable map of where it resides will be able to meet the obligation; firms that do not will scramble at the worst possible moment.
Service Providers Are Now Your Problem Too
Most smaller firms run on third-party platforms — custodians, portfolio management systems, email providers, document vaults, and outsourced IT. The amended rule makes clear that handing data to a vendor does not hand off the responsibility. Firms must take reasonable steps to oversee service providers, including through contractual arrangements designed to ensure that providers protect customer information and, critically, notify the firm of breaches affecting that information promptly enough for the firm to meet its own obligations.
This is where many smaller firms are most exposed. Standard vendor agreements frequently lack clear breach-notification timelines or security commitments. Firms should review their material vendor contracts, identify which providers touch sensitive customer information, and confirm that those agreements obligate the provider to alert the firm quickly and cooperate in any response. Oversight is not a one-time check; it is an ongoing expectation that should be revisited as relationships and platforms change.
Practical Steps to Get Ready
A workable path forward does not require a large budget. Start by inventorying the sensitive customer information the firm collects and where it is stored. Draft an incident-response program scaled to that footprint, naming responsible individuals and defining escalation, containment, assessment, and notification steps. Build a notification process so the firm can identify affected individuals and communicate clearly. Review vendor contracts for breach-notification and security terms. Train staff so the people who will execute the plan understand it, and test the plan through a tabletop exercise before a real incident forces the first run-through. Finally, document everything — examiners and, in a worst case, plaintiffs' counsel will ask what the firm had in place and whether it followed its own program.
How Law & Forensics Helps
Law & Forensics helps broker-dealers and investment advisers build Reg S-P compliance that fits their size and risk profile. Our team drafts and stress-tests incident-response programs, designs customer notification workflows, reviews and strengthens vendor agreements, and runs tabletop exercises that turn a written plan into practiced muscle memory. When an incident does occur, our forensic and legal professionals work side by side to investigate, scope the affected data, and guide notification — so smaller firms can meet big obligations with confidence.