Reg S-P is Live for Everyone. Most Vendor Oversight Programs Still Can't Prove the Chain.

The Smaller Entity deadline passed on June 3, 2026. Examinations are beginning. The firms that documented their service provider oversight are about to find out whether the program can actually produce what an examiner asks for.
 

TL;DR

• The SEC's 2024 amendments to Regulation S-P are now in effect for all covered institutions. Larger Entities since December 3, 2025. Smaller Entities since June 3, 2026 (Release Nos. 34-100155; IA-6604).
• Industry trade groups including the Investment Adviser Association requested an extension. The SEC did not modify the dates. The deadline passed unchanged.
• The compliance question has shifted. It is no longer "what do we have to do by the deadline." It is "can our program produce the evidentiary chain an examiner will ask for, on demand."
• The gap most firms face is not policy design. It is the chain from service provider inventory, to incident response, to customer notification, end to end, in a form an examiner can follow.
• Firms that did not meet the deadline are out of compliance with examination exposure live. Firms that did meet the deadline are now operating the program for the first time and learning where it bends under stress.
   

The Quiet Update of a Foundational Rule

Regulation S-P was adopted in 2000 to implement the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act. For more than twenty years, it set the baseline for how broker-dealers, investment advisers, investment companies, funding portals, and transfer agents handled customer information, with only conforming and incremental changes along the way.

On May 16, 2024, the SEC adopted amendments that, for the first time, impose explicit and documented obligations around incident response, customer notification, and service provider oversight. The amendments were published in the Federal Register on June 3, 2024 and became effective August 2, 2024. Larger Entities became subject to the new requirements on December 3, 2025. Smaller Entities followed on June 3, 2026. In 2026, industry trade groups including the Investment Adviser Association requested an extension of the compliance dates. The SEC did not modify them. Both deadlines passed unchanged. Every covered institution is now operating under the rule.
 

Who the Rule Covers

The amendments apply to "Covered Institutions," defined to include:

• Broker-dealers (including funding portals)
• Registered investment companies
• SEC-registered investment advisers
• Transfer agents registered with the SEC or another appropriate regulatory agency

Compliance dates are tiered.

Larger Entities were required to comply by December 3, 2025. The category includes:

• Investment companies that, together with other investment companies in the same group of related investment companies, have net assets of $1 billion or more as of the end of the most recent fiscal year
• SEC-registered investment advisers with $1.5 billion or more in assets under management
• Broker-dealers that are not "small entities" under the Securities Exchange Act for purposes of the Regulatory Flexibility Act (generally those with total capital of $500,000 or more)
• Transfer agents that are not "small entities" under the Securities Exchange Act for purposes of the Regulatory Flexibility Act (generally those that transferred or processed 500 or more items in the previous year or maintained shareholder files for 1,000 or more shareholder accounts)

Smaller Entities, all other covered institutions, were required to comply by June 3, 2026.

The "group of related investment companies" language matters for fund families. A single fund evaluated on its own may sit below the $1 billion threshold; aggregated across the group, it may not.

Examination authority is split. The SEC examines registered investment advisers, investment companies, and transfer agents. FINRA examines broker-dealers and funding portals as FINRA members. Both regulators are now examining for Reg S-P compliance within their respective jurisdictions. The first wave of post-deadline exams is underway.
 

What the Amendments Actually Require

The Adopting Release introduces four substantive new requirements. Each carries practical implications for how firms manage vendors, contracts, and breach response.

1. A Written Incident Response Program

Covered institutions must adopt, implement, and maintain written policies and procedures for an incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The program must address assessing the nature and scope of any incident, containing it, and recovering from it.

2. Customer Notification Within 30 Days

When a covered institution determines that sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, it must notify each affected individual as soon as practicable, and in no event later than 30 days after becoming aware of the incident.

The clock runs from the covered institution's awareness that sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Awareness may originate internally, or it may follow from a service provider notification under the 72-hour provision below.

3. Service Provider Oversight

This is the requirement with the largest operational footprint, and the one most directly relevant to third-party risk management programs.

Covered institutions must establish, maintain, and enforce written policies and procedures reasonably designed to require "oversight, including through due diligence and monitoring" of service providers that receive, maintain, process, or otherwise are permitted access to customer information.

The policies must be reasonably designed to ensure service providers take appropriate measures to:

1. Protect against unauthorized access to or use of customer information, and
2. Provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.

The Adopting Release indicates that the 72-hour element can be satisfied through a written contract or contractual representation with each service provider. The amendments do not expressly require this language to appear in service provider agreements, which leaves firms responsible for choosing a method that is both defensible under examination and enforceable in practice. The definition of service provider includes affiliates of a covered institution, which addresses a gap that frequently appears in vendor inventories.

Upon receiving notice from a service provider, the covered institution must initiate its own incident response program. If that response confirms sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, the 30-day customer notification clock runs from the covered institution's awareness of that fact.

4. Recordkeeping

Covered institutions must maintain written records documenting compliance with the new requirements, including policies and procedures, incident assessments, notification decisions, and service provider oversight materials. The recordkeeping requirement is the connective tissue. Without it, every other obligation is unprovable under examination. The recordkeeping provisions sit alongside each entity type's existing retention rules (for broker-dealers, at § 248.30(b); for investment advisers, at § 275.204-2; for investment companies, at § 270.31a-1 and § 270.31a-2), which means existing retention infrastructure must extend to the new artifacts, not replace itself.
 

Why This Changes the Conversation About Vendor Risk

Before May 2024, the case for formal third-party risk management in financial services rested on general guidance, examiner expectations, and analogous obligations from state breach notification laws, the FTC Safeguards Rule, and interagency guidance. It was real, but it was diffuse. As of June 2026, it is neither. The rule is in effect. Examiners are reviewing programs against the rule text.

The amended rule does three things that materially change the posture:

It names the obligation. The phrase "oversight, including through due diligence and monitoring, of service providers" is now in the rule text. It is no longer an inference from a safeguards principle.

It introduces a specific timeline. A 72-hour service provider notification standard, paired with a 30-day customer notification window, creates a measurable chain that examiners can ask firms to demonstrate end to end.

It is documentary. The requirement is not to have oversight. It is to have written policies and procedures reasonably designed to require oversight, plus the records to prove they were followed. Informal review processes that produced good outcomes will not satisfy a documentation-based examination.

For firms that have treated vendor reviews as a procurement step or an annual security questionnaire, the gap is non-trivial. The work required is not just program design. It is the contractual, evidentiary, and workflow infrastructure that makes the program enforceable across every service provider with access to customer information.
 

What "Reasonably Designed" Looks Like in Practice

The Adopting Release uses "reasonably designed" rather than prescribing a specific control set. The language is familiar from other SEC rulemakings and gives covered institutions latitude. It does not reduce the documentation burden. In practice, firms preparing for examination should be able to demonstrate:

• A written program covering incident response, service provider oversight, customer notification, and recordkeeping, calibrated to the institution's size and complexity
• Risk-tiered due diligence and ongoing monitoring of service providers proportionate to each provider's access to customer information
• Contractual mechanisms or equivalent assurances that obligate service providers to meet the 72-hour notification standard

The further a firm's current state is from that list, the more compressed its remediation window becomes.
 

What an Examiner Will Look For

Examiners do not grade policies in the abstract. They reconstruct the chain. Expect requests for specific, dated artifacts.

A current service provider inventory with access classifications, identifying which providers (including affiliates) receive, maintain, process, or have access to customer information, and at what sensitivity level.

Dated due diligence records tied to named providers, showing the depth of review was appropriate to the provider's access tier. Not a template, the actual completed assessments.

Contract language or contractual representations addressing the 72-hour service provider notification standard, mapped to specific providers and date-stamped to show currency.

Evidence of ongoing monitoring, not just onboarding. Reassessment cadence, posture monitoring artifacts, or change-triggered reviews, all of them tied to specific providers.

A documented intake workflow for service provider breach notifications, with named owners, escalation paths, and a tested route from intake to the incident response program.

The records chain from service provider notification, to covered institution incident response activation, to customer notification decision, including the rationale for the timing and scope of any notification or non-notification.

If a firm can pull that set in an exam window without scrambling, the program is examination-ready. If any link is missing, that is where the finding lands.
 

Where Programs Are Failing in the First Examinations

The deadline is past. The order below is no longer a runway, it is a triage. Firms that are out of compliance start at step one and work fast. Firms that met the deadline use the same sequence as a stress test of the program they already shipped.

1. Inventory. Identify every service provider with access to customer information, including affiliates.
2. Tier. Classify providers by the sensitivity of the information they touch and the operational dependency they create.
3. Contract review. Identify which provider agreements need amendment to address the 72-hour notification expectation, and prioritize accordingly.
4. Program documentation. Build or refresh written policies and procedures for incident response, service provider oversight, customer notification, and recordkeeping.
5. Workflow design. Operationalize the policies. Assign owners, define escalation paths, and ensure the chain from service provider notification to customer notification is testable.
6. Tabletop testing. Run the chain end to end before an examiner does. A program that has been exercised once is a different artifact than one that has only been written.
    

How Whistic Maps to Reg S-P

Reg S-P is a rule-section problem. Examination-readiness, in the first weeks of being live under the rule, is a rule-section-to-evidence problem. Whistic, the Agentic Risk Operations Platform, runs both as one workflow.

§ 248.30(a)(5), service provider oversight, maps to Whistic Assess and Whistic Vendor Monitoring. Assess runs risk-tiered due diligence with Assessment AI: reads SOC 2 reports, ISO certs, policies, and prior questionnaires, then maps evidence directly to your controls with confidence scores, source citations, and explanations on every answer. The evidentiary record is dated, named to specific providers, and defensible under examination. Vendor Monitoring maintains the posture between assessments, refreshed every 30 minutes across public sources, SEC filings, news, and the dark web. Oversight is continuous and dated, not annual and stale.

§ 248.30(a)(3), the written incident response program, maps to Whistic Compliance. Compliance houses the program itself: policies, procedures, controls, control tests, and the mapping from each rule requirement to the internal artifact that satisfies it. Tests run manually, on a schedule, or with an AI browser agent that captures evidence with human review on every run. Every execution is timestamped, evidence-attached, and permanent. The same surface holds the written incident response policy, the service provider oversight policy, and the recordkeeping that ties them together.

The 72-hour to 30-day notification chain lives across the platform as one audit trail. Service provider notification enters through a defined intake workflow inside the vendor record your team already uses. The notification triggers the incident response program documented in Compliance. The covered institution's awareness timestamp anchors the 30-day customer notification clock. The records chain an examiner asks for, end to end, builds itself as the work happens.

For programs at scale, the Automation Orchestrator runs the assessment lifecycle through four named agents, Initiator, Collector, Analyst, Reporter, so continuous oversight does not become a headcount problem. In beta now, with general availability in Q3 2026.

Reg S-P forces the shift from periodic assessment to continuous operation. That is what Whistic was built for.
 

Risk, worked.

See the Reg S-P examination-readiness walkthrough

Frequently Asked Questions

What are the 2024 amendments to Regulation S-P?

On May 16, 2024, the SEC adopted amendments to Regulation S-P that require covered institutions to maintain a written incident response program, notify affected individuals of certain data breaches within 30 days, oversee service providers that handle customer information, and maintain related records.

Who is a "Covered Institution" under Regulation S-P?

Broker-dealers (including funding portals), registered investment companies, SEC-registered investment advisers, and transfer agents registered with the SEC or another appropriate regulatory agency.

When did firms have to comply?

Larger Entities were required to comply by December 3, 2025. Smaller Entities were required to comply by June 3, 2026. Both deadlines have passed. All covered institutions are now operating under the amended rule.

Which firms qualify as "Larger Entities"?

Investment companies that, together with other investment companies in the same group of related investment companies, have net assets of $1 billion or more as of the end of the most recent fiscal year; SEC-registered investment advisers with $1.5 billion or more in assets under management; broker-dealers and transfer agents that are not "small entities" under the Securities Exchange Act for purposes of the Regulatory Flexibility Act.

What is the 30-day customer notification requirement?

A covered institution must notify each affected individual as soon as practicable, and no later than 30 days, after becoming aware that sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Awareness can arrive via a service provider notification.

What is the 72-hour service provider notification requirement?

Covered institutions must maintain written policies and procedures reasonably designed to ensure service providers notify the covered institution as soon as possible, but no later than 72 hours after becoming aware of a breach in security resulting in unauthorized access to a customer information system maintained by the service provider. The Adopting Release indicates this can be satisfied through a written contract or contractual representation with each service provider.

Does Regulation S-P require vendor risk management?

Yes. The amendments require written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers that receive, maintain, process, or otherwise are permitted access to customer information.

What records will SEC or FINRA examiners ask for under Reg S-P?

Examiners reconstruct the documentation chain. Expect requests for a current service provider inventory with access classifications, dated due diligence records tied to named providers, contract language or contractual representations addressing the 72-hour service provider notification standard, evidence of ongoing monitoring (not just onboarding), a documented intake workflow for service provider breach notifications, and the records chain from service provider notification through covered institution incident response to customer notification decision.