Incident Response and the Amended Reg S-P: New Breach Obligations Reach Smaller Firms

For years, the heavy cybersecurity and breach-notification obligations belonged to the firms that could most easily absorb them: large broker-dealers and advisers with in-house legal, IT, and forensic capacity. That assumption no longer holds. The SEC's 2024 amendments to Regulation S-P, with a final compliance deadline of June 3, 2026, push a concrete set of incident response and customer-notification duties onto smaller registered investment advisers and broker-dealers — and, by extension, onto the lawyers who advise them and the small firms that hold their data. Being small is not a defense, and it has never been protection. According to the ABA's 2022 Legal Technology Survey, more than a quarter of law firms reported having experienced a security breach. Smaller organizations are attractive targets precisely because sensitive data is concentrated and an attacker does not have to dig.

I get a version of the same question from smaller firms in nearly every engagement now: is a written privacy policy enough? It is not. The amended rule, like the examiners enforcing it, asks for operational proof — evidence that controls exist, that they function, and that the firm actually followed its own documented procedures when something went wrong. That is a different standard than having a binder on the shelf.

What the amended Reg S-P actually demands

The original Reg S-P required a written privacy policy and reasonable safeguards for customer records. The 2024 amendments substantially expand that baseline into a comprehensive written information security program spanning administrative, technical, and physical safeguards. The pieces that matter most in practice:

• A written incident response plan with specific decision criteria and notification timelines — not aspirations, but triggers and deadlines a firm can be measured against.
• Customer notification when a breach involves customer information, with the firm able to demonstrate it followed its own documented procedures.
• Vendor and service-provider oversight, including contractual security obligations in writing — and the firm remains responsible for customer notification even when the vendor is the source of the breach.
• A data inventory and classification system, least-privilege access controls, and encryption of customer data in transit and at rest.
• Periodic testing, staff training, and recordkeeping of risk assessments, incidents, and evidence that controls are working.

The operationally demanding piece is the incident response plan. The rule does not just ask whether a firm intends to respond well; it asks whether the firm can show, after the fact, that it executed a documented process. The shift in vendor liability deserves its own emphasis: if a third-party processor suffers a breach that exposes customer data, the registered firm bears the notification obligation and the regulatory exposure. Vendor due diligence stops being a compliance checkbox and becomes genuine risk management.

What an incident response plan must contain

An incident response plan (IRP) is a detailed, written document, not a one-page summary. The structure that holds up under both technical and regulatory scrutiny tracks the recognized response phases:

Identification and detection

Define what counts as an incident and how it will be detected. Establish how staff report suspicious activity and to whom. A person who notices unusual network behavior or a phishing attempt should know exactly where that report goes — confusion at this stage costs the firm its earliest and cheapest window to contain the problem.

Response team and roles

Even a small firm should name an incident response coordinator, a legal advisor, and IT support — the last of which can be an external consultant. Ambiguity about who owns each decision is the single most common failure I see when a plan meets a real event. The notification clock is running, and that is the worst moment to be litigating responsibilities internally.

Containment, eradication, and recovery

Detail the steps to isolate affected systems, stop further damage, and restore from clean backups. A ransomware scenario is the obvious test: a recent, encrypted, tested backup can be the difference between restoring data and confronting a ransom demand. Recovery is not complete until the firm has verified the environment is clean and functioning.

Communication and notification

Set out how the firm communicates with affected customers, staff, and regulators, and on what timeline. Under the amended rule, this is no longer discretionary. The plan should map the notification thresholds and deadlines the firm has committed to, because an examiner will compare what happened against what the firm said it would do.

Post-incident review

After the event, review what worked, what did not, and what changes the plan needs. This is also where forensic readiness pays off: a documented timeline of what was accessed, when, and by whom is what turns a chaotic event into a defensible record — and it is the same record that matters if the incident ends up in litigation.

Why forensic and preservation readiness belongs in the plan

Smaller firms routinely overlook the forensic dimension, and it is the one that hurts most later. Logs have to be configured for two purposes at once: practical utility during a response, and legal admissibility afterward. A log that nobody can authenticate, or that rolled over before anyone preserved it, is not evidence — it is a gap the firm will have to explain. When a breach becomes a regulatory inquiry or a lawsuit, the questions are familiar from any e-discovery dispute: what did you have, when did you preserve it, and can you prove the chain. Building preservation into the IRP — knowing which sources to lock down and doing it before routine retention overwrites them — is what keeps a bad day from becoming a spoliation problem.

Practical steps for small and mid-size firms

The firms that struggle are not the ones unaware of the deadline; they are the ones that treated the IRP as a document to file rather than a process to rehearse. A workable sequence:

1. 01Run a risk assessment first. Identify the data you hold, the realistic threats, and the controls proportionate to your size and business model. The SEC offers limited prescriptive guidance, so you will need to make — and defend — reasonable, risk-based decisions.
2. 02Put the controls in place that the rule assumes: multi-factor authentication, encryption at rest and in transit, role-based least-privilege access, and centralized logging with secure retention.
3. 03Draft the incident response plan with real triggers — what constitutes a reportable incident, who decides, and what the notification timeline is — rather than generalities.
4. 04Get vendor contracts in writing with specific security obligations, and assess the vendors that touch customer data. Remember that their breach is your notification obligation.
5. 05Test the plan through a tabletop exercise before a real event. A firm that has never practiced its response will not execute it well under pressure, and the gaps surface only when you rehearse.
6. 06Assemble an exam-ready documentation package: risk assessments, the IRP, training records, and evidence that controls are functioning — proof, not just policy.

The bottom line

A defensible compliance program under the amended Reg S-P is not a set of written policies; it is an integrated combination of legal interpretation, technical implementation, and documented operational evidence that controls work as described. Smaller firms now carry obligations that used to belong to far larger institutions, and the examiners enforcing them expect operational compliance, not written intent. The same discipline applies whether the next reader of your records is an SEC examiner or opposing counsel in litigation: a plan you have tested, controls you can prove, and preservation you handled before it was too late. If your firm is building or stress-testing an incident response plan, or you are facing a breach where preservation and forensic readiness are in play, the window to do it right is before the event — not after. You can start a scoping conversation through our home page or email the team directly to discuss a conflict check and approach.