Regulation S-P Readiness Guide | Solanasis
What the SEC's updated Regulation S-P means for your firm and what to do about it
Regulation S-P Readiness Guide
What the updated rule means for your firm and what to do about it
Compliance Deadline: June 3, 2026 (Smaller Entities)
What Changed
The SEC adopted amendments to Regulation S-P (Safeguards Rule) in May 2024. The updated rule significantly expands what firms must do to protect customer information. If your firm is SEC-registered or state-registered, these requirements apply to you.
The compliance date for smaller entities is June 3, 2026. Let's face it: if you haven't started preparing, you're behind; the technical implementation alone takes weeks to do properly.
The Three Major Requirements
1. Written Incident Response Program
Your firm must have a written program with procedures for detecting, responding to, and recovering from unauthorized access. This is separate from your WISP.
- •Named roles and responsibilities
- •Procedures for assessing nature and scope
- •Containment and remediation steps
- •Documentation and evidence preservation
2. Expanded Service Provider Oversight
Service providers must notify you of security incidents within 72 hours. You must monitor their compliance.
- •Review vendor contracts for 72-hour notification provisions
- •Establish vendor inventory with access levels
- •Document oversight process
3. Client Notification Requirements
Notify affected individuals no later than 30 days after discovering unauthorized access.
- •Description of the incident and information involved
- •Contact information for questions
- •Protective measures (credit monitoring, etc.)
What Most Firms Are Missing
Incident response exists on paper only
Many firms have an IR section in their WISP, but it's never been tested. Tabletop exercises are how you find out whether your plan actually works.
Vendor contracts lack notification clauses
Most existing contracts specify 30-60 day notification, not 72 hours. Every vendor agreement touching customer data needs updated language.
No vendor inventory exists
You can't oversee what you haven't cataloged. Many firms can't produce a complete list of vendors with access to customer data.
Breach detection is absent
The 30-day clock starts when you "become aware." Without detection capabilities, you may not know about a breach for months.
Readiness Timeline
If your firm is starting from a typical baseline, here's a realistic 10-week timeline:
| Timeframe | Focus | Key Actions |
|---|---|---|
| Weeks 1-2 | Assessment | Gap analysis against Reg S-P requirements |
| Weeks 3-4 | Incident Response | Draft/update IR program, assign roles, prepare templates |
| Weeks 5-6 | Vendor Oversight | Complete vendor inventory, begin contract amendments |
| Weeks 7-8 | Detection | Implement monitoring, prepare notification procedures |
| Weeks 9-10 | Testing | Tabletop exercise, DR test, end-to-end verification |
How Solanasis Can Help
Our 10-day Compliance Readiness Assessment covers every item in the readiness checklist. We test what others only check on paper, including a real disaster recovery restore, and we map every finding to Reg S-P, SEC exam priorities, and NIST CSF.
After the assessment, you can execute the roadmap independently, bring us in for a remediation sprint, or engage us as an ongoing Fractional Cybersecurity Partner; no lock-in at any stage.
No email required. Just download it.
Share this resource: