Key Point: With the June 3, 2026, compliance deadline fast approaching, small firms subject to amended Regulation S‑P under the Gramm-Leach-Bliley Act (GLBA) should be in the final stages of updating their privacy and safeguards programs. In January 2026, the Securities and Exchange Commission (SEC) held an outreach event to help small firms comply with the amendments to Regulation S-P. This webinar was geared toward small firms in advance of the June 3, 2026, compliance deadline. The SEC highlighted new Regulation S-P compliance obligations, SEC exam team approaches moving forward, and held an examination workshop, which included an incident response tabletop discussion, review of a sample document request list, and a mock examination session.

This article provides a brief overview of the January 2026 SEC outreach session, and a checklist, which provides a practical roadmap for small firms to reach compliance by the deadline. However, larger entities may also benefit from these insights as they also prepare for compliance.

***

On January 22, 2026, the  Division of Examinations, Division of Investment Management and Division of Trading and Markets held an outreach session, which focused on highlighting requirements for small firms under the amended Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information (Reg S-P).

The SEC defines larger entities as SEC-registered investment advisers with $1.5 billion or more in assets under management, investment companies with net assets of $1 billion or more, and broker-dealers that are not classified as small entities under the Securities Exchange Act. Small entities are all entities that do not meet these thresholds.

Background

Reg S-P implements requirements for protecting the privacy of nonpublic personal information and safeguarding customer information of SEC-regulated entities. Core obligations of Reg S-P’s framework prior to the 2024 amendments, and which apply to physical and digital records, include providing initial and annual privacy notices that describe what nonpublic personal information is collected, used, shared, and protected; maintaining written privacy policies and procedures under the safeguards rule; providing a reasonable means for customers to opt-out of certain data sharing; and providing for reasonable disposal measures.

In May 2024, the SEC adopted amendments to Reg S-P, which became effective in August 2024. The SEC’s 2024 amendments to Regulation S‑P are broadly aligned with the Federal Trade Commission (FTC) GLBA Safeguards Rule, which the FTC amended in December 2021. The SEC has captured concepts from those FTC updates, including requiring written incident response programs, vendor oversight, and breach notification. However, they are not identical, and careful attention should be paid to the differences.

During the SEC outreach session, panelists expanded on the new requirements under the amended Reg S-P, which include adoption and maintenance of written policies and procedures for incident response, timely notification to individuals for breaches involving sensitive personal information, an expansion and alignment of the safeguards and disposal rule to cover nonpublic personal information firms collect and receive, retention of compliance documents, and conforming annual privacy notice requirements to the FAST Act, which allows covered institutions to forego delivering annual privacy notices if certain provisions are met.

Incident Response Program

The Reg S-P amendments require smaller entities to adopt written policies and procedures to detect, respond to, and recover from unauthorized access to or use of customer information. Firms must be able to assess the nature and scope of an incident, take steps to control it, and where applicable, provide customer notice to affected individuals.

Customer Notification Requirements

Notification to a customer is required where sensitive customer information was or is reasonably likely to be accessed. Customer information means any record that contains nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form that is in possession of a covered institution or that is handled or maintained by the covered institution, regardless of whether that information pertains to (i) individuals the covered institution has a customer relationship with, or (ii) to the customers of other financial institutions where such information has been provided to the covered institution. Sensitive customer information is a subset of customer personal information. Examples of sensitive customer information include information that is uniquely identified with individuals such that it could be used to identify, such as a Social Security number, account number or username in combination with other information to gain access, such as a password or access codes.

Covered institutions are required to provide notice to customers as soon as possible but not later than 30 days from becoming aware of the unauthorized access to or use of customer information. A covered firm can avoid sending notice if it determines after a reasonable investigation that sensitive customer information is not likely to result in harm. However, this determination must be made within the 30-day timeframe.

Examination Lifecycle

SEC examiners will approach exams by obtaining a sense of the office environments for covered institutions. For example, examiners will assess the size of the office, whether there are multiple offices, whether there is hybrid work, and the firm’s lines of business. Examiners will also seek to understand the firm’s network footprint, for example whether data resides in a cloud environment, on-premise, or a mix of both. They will seek to gain an understanding of how data flows within a firm’s environment, and how the firm ingests, uses, and disposes of client data, contracts with service providers, evidence that the entity maintains a relationship with its vendors, a walkthrough of the entity’s incident response program, confirmation that there is log data in place, and evidence of patch or vulnerability management tools.

If an examiner finds deficiencies or weaknesses, a deficiency letter will be issued. Deficiency letters will be issued for violations or apparent violations, and for weaknesses, which are not violations, but could lead to issues in the future. Before deficiency letters are issued, examiners will speak with the registrant about identification of deficiencies, and the SEC will give registrants an opportunity to respond or provide documentation. Examiners will usually provide one or two days for registrants to clarify any issues. Once the examiners understand this, they will seek to understand how the data is protected and how the data flow is monitored. In the outreach session, the SEC noted that the processes will not change with regard to document requests and understanding roles and responsibilities.

The SEC also addressed questions that many firms have about how a smaller firm should handle data. The SEC observed that any data-handling approach is dependent on the facts and circumstance specific to each firm and depends on the firm’s size, business lines, where data resides, how it implements IT, the nature of the firm’s activities, and the types of information stored. Solo advisors and smaller firms should take this information into consideration as they tailor their policies and procedures.

Registration of Risk

The speakers at the SEC outreach session noted that the SEC’s approach to examining registration of risk will be tailored to the size and business lines of the firm. They hope to see a risk matrix that addresses risks for the business that includes identification of risk, assessment of risk, and risk mitigation.

According to the SEC, firms should ensure that they have documentation concerning how they document risks, work through risks over time, how often they review risks, and how they assess risks when they open new lines of business.

Third-Party Service Providers

The SEC examiners stated that they often see reliance on third-party service providers to assist with the information technology (IT) needs for smaller firms. They urge firms to remember that the responsibility for Reg S-P compliance ultimately remains with the firm, and that firms should conduct due diligence for service providers and ongoing assessments to ensure service providers can meet any downstream obligations.

According to the SEC, firms should also engage with service providers to ensure service providers can meet incident response requirements, including responding to and reporting a breach within the required timeframe. Firms must establish, maintain, and enforce written policies and procedures that are designed to require oversight of third-party service providers’ incident response programs. The SEC further emphasized that firms should have written agreements with service providers to ensure that service providers are contractually bound to meet these obligations.

Resources and Compliance Tips

The session provided an overview of resources made available by the SEC, such as risk alerts available at sec.gov, including the April 2023 Risk Alert, which focuses on safeguarding customer records and information at branch offices, and a January 2020 SEC Examination Report, which encourages market participants to review procedures on cybersecurity and resiliency observations, and highlights practices firms could consider, including mobile device security and data loss prevention.

The session also provided tips for compliance, which include reviewing and understanding Reg S-P’s amendments, reviewing the small entity compliance guide, engaging with stakeholders and service providers to help develop and refine procedures, reviewing policies and procedures, testing old and new processes, educating and training officers and staff, and ensuring service providers are aware of regulatory changes and are able to comply with those changes.

For a practical summary of the steps small firms must complete by June 3, 2026, see our Regulation S‑P compliance checklist for small firms. 

The SEC encourages all entities to review their resources, which include risk alerts and observation reports. Small entities should consider incorporating SEC guidance and recommendations as they build out their Regulation S-P compliance processes.

Webinar Resources

The full webinar can be found here.

The small entity compliance guide can be found here.