SEC Reg S-P June 3, 2026: NC RIA Compliance Action Plan

TL;DR: The SEC's amendments to Regulation S-P hit their final compliance deadline for "smaller entities" on June 3, 2026, one year after the December 3, 2025 deadline for larger entities. Smaller broker-dealers, registered investment advisers (RIAs) under the $1.5B AUM threshold, investment companies, and transfer agents must now maintain a written incident response program, notify affected customers within 30 days of discovering a breach (or one reasonably likely to have occurred), and contractually require service providers to report breaches within 72 hours, per Carlton Fields' implementation guidance. For NC RIAs and broker-dealers in Charlotte, Raleigh, Winston-Salem, and Asheville, this is the first federal data-breach notification rule with real teeth that applies directly to small advisers.

Key takeaway: Reg S-P is no longer a state-by-state patchwork for smaller advisers. As of June 3, 2026, the SEC expects every RIA and broker-dealer to have a tested incident response plan, a 30-day customer notification process, and 72-hour breach clauses signed with every vendor that touches customer data.

Need a Reg S-P-ready incident response plan and vendor clauses this quarter? Preferred Data Corporation builds and tests IR plans for NC RIAs and broker-dealers. Call (336) 886-3282 or request a Reg S-P readiness review.

What changed under SEC Regulation S-P on June 3, 2026?

Answer capsule: The June 3, 2026 deadline was the final compliance date for smaller entities under the SEC's 2024 amendments to Regulation S-P. Smaller broker-dealers, RIAs below the $1.5B AUM threshold, investment companies, and transfer agents must now maintain a written incident response program, deliver customer breach notifications within 30 days, and impose 72-hour breach reporting obligations on service providers, per the Holland & Knight summary.

Three structural changes define the new regime:

• Written incident response program (IRP). The SEC now requires a documented, board-aware program covering assessment, containment, and customer notification, not just a generic cybersecurity policy. The SEC's final rule release (Release No. 34-100155) sets the program elements that examiners will look for.
• Customer notification within 30 days. Once a covered firm becomes aware that "sensitive customer information" has been, or is reasonably likely to have been, accessed or used without authorization, customers must be notified within 30 days, per AdvisorLaw's compliance walkthrough.
• Service-provider oversight with 72-hour breach reporting. Covered firms must contractually require that vendors handling customer information notify the firm of a breach as soon as possible but no later than 72 hours, per Carlton Fields.

Larger entities, those at or above $1.5B in AUM and broker-dealers above the SEC's "covered institution" thresholds, were already on the hook from December 3, 2025, per the Seward & Kissel 40 Act blog. The June 2026 deadline closes the gap for small and mid-size firms.

Which NC firms are now in scope?

Answer capsule: The June 3, 2026 smaller-entity deadline applies to NC-registered broker-dealers, SEC-registered investment advisers managing under $1.5B in regulatory assets under management, registered investment companies, and registered transfer agents that handle customer records below the size cutoff, per SWK Technologies' summary for financial advisors.

In practical terms, that pulls in a substantial slice of NC's financial services community:

• Charlotte-based RIAs built on the bank-and-broker corridor that now operate independently below the $1.5B line.
• Raleigh and Research Triangle wealth managers serving tech founders, executives, and family offices.
• Winston-Salem and Greensboro multi-family offices and Piedmont Triad regional advisers under the larger-entity threshold.
• Asheville and Western NC boutique advisers serving retirees and small-business owners, where one incident can disproportionately damage trust.
• Smaller broker-dealers and transfer agents across the state that previously assumed Reg S-P obligations applied only at scale.

State-chartered investment advisers regulated by the NC Secretary of State Securities Division are not directly bound by the federal amendments. However, NC and most other states already require timely breach notification, and regulators look to SEC standards as the benchmark for "reasonable" cybersecurity, so state-registered NC RIAs should plan to meet the federal standard regardless.

What must be in a Reg S-P written incident response program?

Answer capsule: A Reg S-P IRP must, at minimum, define how the firm assesses the nature and scope of an incident, contains and controls it, notifies affected customers within 30 days, and oversees service providers that touch customer information, per Holland & Knight. The plan must be written, tested, and supported by recordkeeping.

The table below maps the four core obligations to the artifacts an NC RIA should have on file:

Three details often missed by smaller firms preparing this quarter:

• "Reasonably likely" is a trigger, not just confirmed access. Per Carlton Fields, notification can be required before forensic confirmation, so the IRP needs a fast triage process.
• Sensitive customer information is defined broadly, covering NPI sufficient to identify a customer in combination with other data, not just SSNs and account numbers.
• The IRP is examiner-facing and must be specific to the firm's data flows, vendors, and systems, not a generic template.

How does the 30-day customer notification clock actually work?

Answer capsule: The 30-day clock starts when the firm becomes aware of an incident involving sensitive customer information that has been, or is reasonably likely to have been, accessed or used without authorization, per AdvisorLaw. The notification must clearly describe the incident, the information involved, and the steps customers can take to protect themselves.

Three operational tests an NC RIA should run before relying on this process:

1. Detection-to-awareness time. The clock starts at awareness, not at intrusion. A firm without EDR and centralized logging may not become "aware" for weeks or months, which compresses or eliminates the practical 30-day window.
2. Notification content. The notice must include the categories of information involved, the date or estimated date of the incident, contact information, and recommended customer actions. Per SWK Technologies, draft the template now, review with counsel, and version-control it.
3. Delivery channel. Email, mail, or another reasonable means is acceptable, but the firm must hold current contact data for every affected customer.

A narrow exception exists for formal law-enforcement requests to delay notification; it is not a default extension.

What does the vendor 72-hour breach reporting clause require?

Answer capsule: Covered firms must require, by written contract, that any service provider receiving, maintaining, processing, or otherwise permitted access to customer information notify the firm of any breach of customer information as soon as possible but no later than 72 hours after becoming aware, per Carlton Fields. The firm is then on its own 30-day clock to notify customers.

The practical lift for an NC RIA is heavier than it sounds. A typical small adviser may have 20-50 service providers that touch customer data: custodian, portfolio accounting, CRM, e-signature, billing, financial planning software, email and document storage, MFA vendor, marketing tools, the IT MSP, and any sub-processors.

Three steps that get the clause in place this quarter:

1. Inventory every vendor that touches customer data, with vendor name, data categories, contract renewal date, and current breach-notification language.
2. Send a Reg S-P addendum. Large custodians and SaaS providers often have a standard amendment ready; smaller vendors require a tailored addendum. Legacy agreements with "promptly" or "30 days" language do not satisfy Reg S-P.
3. Track signed addenda as ongoing vendor risk management, not a one-time exercise, since renewals and new vendors reset the cycle.

Want help inventorying vendors and sending 72-hour breach addenda? Call (336) 886-3282 or request a vendor oversight engagement.

How does an NC RIA prove compliance in an SEC exam?

Answer capsule: An NC RIA should expect SEC examiners to ask for the written IRP, the customer notification template, the vendor inventory with signed 72-hour clauses, evidence of at least one annual tabletop exercise, and the six-year recordkeeping trail tying it all together, consistent with the framework outlined in the SEC's final rule release.

A short examination-readiness checklist:

• Written IRP, dated and version-controlled, with approval signature from the firm's principal or CCO.
• Tabletop exercise documentation, including scenario, participants, gaps, and remediation. Per Holland & Knight, examiners increasingly demand evidence that the IRP is more than paper.
• Vendor inventory with data categories, contract status, and 72-hour clause status (signed, pending, declined-with-mitigation).
• Customer notification template vetted by counsel.
• Six-year recordkeeping retention of policy versions, training logs, incident logs, and breach notices.
• Incident log, even if empty; a "no reportable events" attestation is itself an artifact.

Many smaller advisers across Charlotte, Raleigh, and the Piedmont Triad will run their first SEC examination under the new regime in the next 12 months. Walking in with these artifacts ready is the difference between a routine exam and a deficiency letter.

How does Preferred Data Corporation help NC advisors comply?

Answer capsule: Preferred Data Corporation supports NC RIAs and broker-dealers with the IT, cybersecurity, and vCISO services that turn the Reg S-P paper requirements into operational reality, including written IRP development, vendor 72-hour clause rollout, and SEC examination readiness, backed by 37 years serving NC small businesses and on-site coverage within 200 miles of High Point.

PDC supports Reg S-P compliance with four building blocks:

• Managed cybersecurity and vCISO including written IRP development, annual tabletop exercises with documented outcomes, EDR/MDR coverage so detection-to-awareness time is measured in hours not months, and a documented vendor risk management program with signed 72-hour addenda.
• Managed IT services with documented patch SLAs, MFA enforcement, centralized logging, and the audit-evidence trail that SEC examiners now expect to see.
• Backup and disaster recovery with tested restores and immutable backups, so that a ransomware-driven breach does not also become a recordkeeping violation.
• Network services with segmentation between the production CRM and portfolio accounting systems and the general office network, reducing the blast radius of any single incident.

PDC has served NC professional services and financial services clients for over 37 years from High Point. The combination of local context for Charlotte, Raleigh, Asheville, Winston-Salem, Greensboro, and the broader Piedmont Triad, paired with national-grade cybersecurity tooling and a documented vCISO process, is what gets an NC RIA from "we have a cyber policy" to "we can hand the examiner a Reg S-P artifact binder."

Frequently Asked Questions

Does Reg S-P apply to NC state-registered investment advisers?

The federal Reg S-P amendments apply directly to SEC-registered investment advisers, broker-dealers, investment companies, and transfer agents. NC state-registered advisers are regulated by the NC Secretary of State Securities Division and are not directly bound, but state breach-notification laws still apply, and the SEC standard is widely treated as the benchmark for "reasonable" cybersecurity, so most NC state-registered RIAs should plan to meet it.

What counts as a "smaller entity" under Reg S-P?

For investment advisers, the smaller-entity category generally covers SEC-registered advisers below the $1.5B AUM threshold, and analogous size cutoffs apply to broker-dealers, investment companies, and transfer agents, per Seward & Kissel. Larger entities were already on the December 3, 2025 deadline; the June 3, 2026 deadline applies to firms below those size thresholds.

Does the 30-day customer notification clock start at the intrusion or at discovery?

The clock starts when the firm becomes aware that sensitive customer information has been, or is reasonably likely to have been, accessed or used without authorization, per Holland & Knight. This makes detection capability (EDR, MDR, logging) a critical input to Reg S-P compliance, since slow detection compresses or eliminates the practical 30-day window.

What if a vendor refuses to sign the 72-hour breach notification clause?

The firm has two practical options: negotiate a documented mitigation (for example, additional monitoring, faster termination rights, or alternative breach-detection processes), or replace the vendor. The Reg S-P obligation rests on the covered firm, not the vendor, so an unsigned addendum becomes a documented gap that examiners will probe.

How long must Reg S-P records be retained?

Existing SEC books-and-records rules apply, which generally require retention for at least six years (the first two in an easily accessible place), covering policy versions, incident logs, vendor breach notices, and customer notifications. Per Carlton Fields, recordkeeping is itself an examination focus area.

Can our existing cybersecurity policy double as the written incident response program?

Probably not on its own. A generic information security policy lacks the specific incident-response process flow, role assignments, customer-notification template, vendor-oversight mapping, and tested-exercise evidence that Reg S-P expects. Smaller NC advisers should plan to either layer an IRP on top of the existing policy or rewrite the cybersecurity program to integrate the IRP elements explicitly.

Related Resources

• Managed Cybersecurity Services for NC Businesses - vCISO, IRP development, MDR, vendor risk management
• Managed IT Services for NC Businesses - MFA, patch SLA, centralized logging, audit-ready evidence
• Backup and Disaster Recovery Services - Tested restores, immutable backups, ransomware resilience
• Incident Response Plan Template for NC Small Business - IRP starter framework
• Cyber Insurance 2026 Renewal Mandates for NC Small Business - Overlapping cyber insurance requirements
• Contact Preferred Data Corporation - Schedule a Reg S-P readiness review