Critical issue? Call (205) 418-3800
Evolv IT

Compliance

SEC Reg S-P is fully in force: can your firm actually hit the 30-day notification clock?

Published July 13, 2026 · Last updated July 13, 2026 · By Daniel, CEO

The amended SEC Regulation S-P is now fully in force for every covered firm. It requires a written incident response program, customer notification within 30 days of discovering a breach of sensitive customer information, oversight of service providers, and recordkeeping to prove all of it. Larger entities had to comply by December 2025; smaller entities by June 3, 2026. The SEC has named Reg S-P an examination priority, which means the question is no longer whether your program exists on paper but whether it works on a clock.

What does the amended Reg S-P actually require?

Four things, in plain language. First, a written incident response program: documented, adopted, and specific to your firm, covering how you detect, assess, contain, and recover from unauthorized access to customer information. Second, customer notification within 30 days of becoming aware that sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Third, service provider oversight: if a vendor touches customer information, you need reasonable assurance they will protect it and tell you when something goes wrong. Fourth, recordkeeping: evidence that the program exists and that you followed it.

Why is the 30-day clock harder than it sounds?

Because the clock starts at discovery, not at the end of your investigation. Thirty days must cover confirming what happened, determining whose information was involved, deciding what the notice says, and getting it out the door. Firms that have never rehearsed this discover that each step takes longer than expected: logs are incomplete, the vendor is slow to answer, nobody is sure who approves the notice.

Detection is the hidden half of the problem. If an incident sits unnoticed for weeks, your practical response window shrinks before the clock officially starts. Around-the-clock monitoring and disciplined alerting, the core of a real cybersecurity and compliance program, are what make a 30-day commitment achievable rather than aspirational.

What does service provider oversight mean for your IT vendor?

It means your IT provider is now part of your regulatory posture. You are expected to have reasonable oversight of vendors that handle customer information, including arrangements for them to notify you promptly when an incident touches your data, because their delay becomes your violation. Ask your provider two questions in writing: how quickly will you tell us about an incident affecting our data, and what evidence do you maintain that we could hand to an examiner? A provider who cannot answer crisply is a finding waiting to happen. This is a core part of how we run IT for financial services firms.

What should your firm verify right now?

Five checks, none of which require a consultant to start. One: the incident response program is written, current, and names actual people, not titles that no longer exist. Two: someone has run a tabletop exercise against the 30-day clock in the last year. Three: your customer information inventory is accurate enough to determine, quickly, whose data an incident touched. Four: every vendor with access to customer information has notification obligations in the contract. Five: the records you would show an examiner exist today, not after a scramble.

If any of those checks fails, that is your starting list. With Reg S-P named an exam priority, the firms that treat this as an operating discipline rather than a document will be the ones that come through an exam, or an incident, without drama.

When did the amended Reg S-P deadlines hit?
Larger entities had to comply by December 2025. Smaller entities had until June 3, 2026. As of today, every covered firm is expected to be in compliance, and the SEC has named Reg S-P an examination priority.
Does the 30-day clock start when we confirm a breach?
No. The clock runs from when the firm becomes aware that unauthorized access to or use of sensitive customer information has occurred or is reasonably likely to have occurred. Investigation time counts against the 30 days, which is why detection speed and a rehearsed response process matter.
We outsource IT. Does that satisfy the service provider oversight requirement?
Outsourcing the work does not outsource the obligation. Your firm must have reasonable oversight of service providers that touch customer information, including provisions for them to notify you of relevant incidents so you can meet your own 30-day clock. Ask your provider to show you, in writing, how they support that.

Exam-Ready, Not Exam-Scrambling

Find the gaps before an examiner or an incident does.

The AI Readiness Assessment includes a governance scorecard against your compliance obligations.