The SEC Just Gave Smaller RIAs a Breach-Notification Clock. The Only Clause That Makes It Run Is Optional.
If you run a registered investment adviser with less than $1.5 billion in assets under management, your amended Regulation S-P compliance obligation takes effect tomorrow, June 3, 2026. The conventional reading of the rule is that it imposes a breach-notification timeline on you. That reading is correct, but it misses the structural problem: the rule manufactures a timeline and then makes the one mechanism that would actually enforce it discretionary. A firm can satisfy the rule on paper, with an incident response program a regulator would call "reasonably designed," while holding zero enforceable commitment from any vendor to tell it about a breach in time to meet that timeline.
The way this gap opened is worth tracing, because it did not happen by accident. It happened in the two years between the proposed rule and the final one.
May 2024: The SEC Adopts the Amendments
The Commission adopted the Reg S-P amendments on May 16, 2024, and then-Chair Gary Gensler framed the intent in one sentence: "The basic idea for covered firms is if you've got a breach, then you've got to notify." The amendments are one piece of the SEC's broader tightening of investor-data protection across the firms it regulates. The rule applies to Covered Institutions, a category that includes broker-dealers, registered investment advisers, investment companies, transfer agents, and funding portals. It set two compliance dates: larger entities, meaning funds above $1 billion in assets and RIAs above $1.5 billion in AUM, had to comply by December 3, 2025; everyone else, the smaller entities, by June 3, 2026.
The rule carries three core obligations. First, a written incident response program reasonably designed to detect, respond to, and recover from unauthorized access to customer information. Second, customer breach notification "as soon as practicable, but not later than 30 days" after the firm determines that unauthorized access to sensitive customer information has occurred. Third, service provider oversight, built around a requirement that providers notify the institution "as soon as possible, but no later than 72 hours after becoming aware of a breach involving customer information." Read in sequence, those three obligations describe a clean pipeline: the vendor tells you fast, you assess, and you tell your customers inside thirty days.
The Proposal Required a Contract. The Final Rule Did Not.
Here is the change that almost nobody traces. The proposed version of the rule required Covered Institutions to enter written contracts with their service providers carrying that 72-hour notice obligation. The final rule softened it. Written contracts are no longer required. The adopting release states that a firm "could comply" by obtaining a contractual representation from each service provider agreeing to the 72-hour notice requirement, "however, such approach is not strictly required." Davis Wright Tremaine reads the result plainly: the 72-hour notice "may be contractually required but the amendments do not expressly mandate it."
In place of a contract, the release offers an escape hatch. Where a contractual commitment cannot be obtained, a firm may rely on "independent certifications and attestations . . . or other reasonable assurances" instead of a binding 72-hour clause. On its face this is reasonable flexibility. In practice it is the seam where the whole notification guarantee comes apart.
Where the Pipeline Breaks
The 30-day customer-notice clock is not independent. It starts when you determine a breach occurred, and for the large share of customer data that lives with vendors rather than in your own systems, the determining event is the vendor telling you. If the vendor never commits to a 72-hour notice, your 30-day obligation to your customers floats on top of a dependency you do not control. The customer-notification guarantee the rule appears to create is only as firm as the upstream notice, and the upstream notice is the part the final rule made optional. This is the line that separates real third-party risk management from compliance theater: a contractual breach-notification requirement is worth only as much as the enforcement mechanism standing behind it.
Holland & Knight names the practical consequence directly. Firms have run into trouble "especially in seeking assurances from larger service providers that they will comply with the 72-hour Notice Requirement, which have no obligation and little incentive to agree to do so." That is the asymmetry a sub-$1.5 billion RIA is walking into tomorrow. The vendors most likely to hold your sensitive customer information, the large custodians and platforms and data processors, are precisely the ones with the leverage to decline a 72-hour clause. They are not being difficult; they are being rational, because no rule requires them to sign, and signing creates a liability they would rather not carry.
The scope expansion makes the exposure wider than most firms assume. The amendments broadened "customer records and information" to "customer information," which now reaches the nonpublic personal information of customers of other financial institutions, including limited partners in a private fund, and any record containing such information that is processed on the firm's behalf. "Sensitive customer information" is defined as any component whose compromise "could create a reasonably likely risk of substantial harm or inconvenience." The set of vendors who can trigger your 30-day clock is therefore larger than your direct client roster suggests, and the clause that would let you actually start that clock on time is the clause your largest vendors will not give you.
What an RIA Should Triage Before Tomorrow
The value of understanding this gap is that it tells you where to spend the hours you have left. The work is not a rule recap; it is a triage of your vendor relationships against a single question: when a vendor is breached, how do I learn about it in time to notify my customers? In my M&A diligence work before this, the most expensive findings were never the obvious liabilities on the balance sheet; they were the obligations that depended on a counterparty doing something it had never actually agreed to do. Reg S-P has handed smaller RIAs exactly that kind of obligation. Three steps close the most exposure fastest.
First, build the data map and vendor inventory the practitioners have been recommending. Smart-RIA's guidance is to map where customer and sensitive customer information reside and inventory every provider that receives, maintains, processes, or accesses it. You cannot reason about a 72-hour dependency you have not located. Rank the inventory by how much sensitive customer information each vendor touches, because that ranking is your notification-risk ranking. Weight it, too, by how a vendor has actually behaved in the hours after a past incident: demonstrated disclosure discipline is a better predictor of a timely call than any clause.
Second, sort that ranked list into three buckets. Bucket one: vendors who will sign a 72-hour notice clause, which you ask for in writing and get done. Bucket two: vendors who will not sign but will provide a certification, attestation, or documented assurance, which you collect and date. Bucket three: vendors who will give you neither. Bucket three is your actual risk register, and it is the document a regulator examining your program will want to see you have already identified, not the one you assemble after an incident. If this triage feels familiar, it is the same discipline I described for the CISA CIRCIA 72-hour incident-reporting clock and vendor due-diligence questionnaires: the contractual clock only protects you if a counterparty is bound to it.
Third, write down what you cannot get and why. A firm that documents which vendors declined a 72-hour commitment, what alternative assurance it accepted, and which gaps remain open has a defensible "reasonably designed" program even where the ideal clause was unobtainable. A firm that simply hopes its vendors will call in time has a policy binder and an undocumented bet.
The rule will not be rewritten before tomorrow, and your largest vendors will not suddenly agree to a clause they have spent two years declining. So the realistic posture for a smaller RIA on June 2 is not to manufacture commitments that do not exist; it is to know exactly which of your vendors can trigger your 30-day clock, which of them are contractually bound to start it, and which of them are not. Put that third list in writing tonight. It is the one artifact that turns a hollow guarantee back into a managed risk.
