Deadline Alert: June 3, 2026 If your RIA manages under $1.5 billion in AUM, this is your SEC Regulation S-P compliance deadline — less than 30 days away. The 30-day client notification requirement covered in this post is not a guideline. It is a legally required element of your compliance program as of that date. If you are behind, schedule a free 30-minute compliance review with us.

When a data incident happens, the clock starts ticking fast. And for Registered Investment Advisers (RIAs), those seconds now come with regulatory weight — and a hard deadline.

With the SEC’s amendments to Regulation S-P, firms are required to notify clients within 30 days of discovering unauthorized access to “sensitive customer information.” The same amendments add a 72-hour vendor notification requirement. For smaller RIAs (under $1.5 billion AUM), both requirements take effect on June 3, 2026 — which is now less than 30 days away.

Large RIAs have been operating under these rules since December 3, 2025. Smaller firms have had a runway to prepare. That runway is almost gone.

Having worked with over 70 RIA firms — including those who transitioned to itSynergy following the December 2025 acquisition of the Itegria practice — the pattern we see consistently is the same: firms that wait until the deadline to build their response framework are the ones who end up scrambling. The ones who prepare early are the ones who respond with confidence.

That 30-day deadline isn’t just a calendar item. It’s a trust test.

The Reality: 30 Days Isn’t a Lot of Time

Imagine this: your firm detects suspicious activity in your systems. You’re juggling detection, containment, forensics, vendor coordination, legal counsel, and compliance reporting.

Now add one more high-stakes task: notifying every client who may have been affected within 30 days of awareness.

That 30-day clock doesn’t pause while you’re investigating. It keeps running while you’re trying to understand what happened, how far it spread, and who’s impacted — especially when multiple systems and third-party vendors are involved.

The firms that meet this deadline with confidence are the ones who answered a harder question before any incident occurred: does our technology environment actually allow us to detect a breach quickly enough to have 30 days left to notify?

The New Rules, in Plain English

Here’s what the updated Reg S-P amendments require:

• Notify clients as soon as practical, but not later than 30 days of becoming aware that unauthorized access or use of customer information has occurred or is reasonably likely to have occurred — unless your investigation shows there’s no likely harm or inconvenience to the customer.
• If you can’t pinpoint which clients were affected, you must notify all clients whose data was on the compromised system.
• Vendors that handle your data must notify you within 72 hours if they experience a breach involving your data.
• You must document everything — from the investigation to notification decisions — and retain those records for at least five years.

📘 For full details, see the SEC’s Enhancements to Regulation S-P: Small Entity Compliance Guide.

Why It Matters More for RIAs

For most businesses, a data breach means bad press.

For an RIA, it can mean compliance violations, regulatory scrutiny, and client mistrust — three things that can take years to rebuild.

Clients don’t just expect you to manage their money. They expect you to protect their information. And regulators increasingly expect proof that you can respond with precision and speed.

Meeting the 30-day notification requirement isn’t just about checking a box. It’s about showing you have your house in order — technically, legally, and ethically — before your June 3 deadline arrives.

The Technology That Makes 30 Days Achievable

This is where most compliance guides stop. They tell you what the rule requires but not what your technology needs to look like for the rule to be achievable in practice.

The 30-day clock starts the moment your firm becomes aware that unauthorized access has occurred or is reasonably likely to have occurred. Not when your investigation is complete. Not when legal reviews it. When you first have reason to believe it happened.

For most smaller RIA firms, awareness comes from one of three sources: a vendor alerting you, a client reporting something suspicious, or your own systems flagging unusual activity. If you don’t have the technology in place to catch that third category, you’re relying on luck.

At minimum, your environment needs:

Centralized logging. A single record of system access events, authentication attempts, and data transfers. Without logs, you cannot determine when unauthorized access began or how far it reached — which means you cannot determine when your 30-day clock actually started.

Endpoint detection and response (EDR). Real-time visibility into device activity. This is what catches unauthorized access at the endpoint level before it spreads to client data.

Defined alert thresholds. Rules that trigger a review when access patterns fall outside normal behavior. An alert at 11pm from an unfamiliar IP address is not confirmation of a breach — but it is the event that should start your assessment process.

Without this infrastructure, a breach can go undetected for weeks. By the time you become aware, you may already have less than 30 days — or none at all.

The Smart RIA Playbook: Meeting the 30-Day Rule

Here’s what well-prepared RIA firms are doing right now:

1. Map your data before an incident happens. You can’t notify clients about affected data if you don’t know where it lives. Identify every system, vendor, and storage point that holds sensitive client information.

2. Define “awareness” clearly — and document the process. The 30-day countdown begins when you become aware, not when you finish your investigation. Your internal detection and escalation process must be fast, documented, and unambiguous.

3. Strengthen vendor oversight. Your 30-day timer may start because your vendor’s 72-hour timer started. Review vendor contracts now to ensure notification obligations are explicit. Most standard agreements don’t include this language — without it, you’re exposed even if your internal program is solid. Here’s a detailed breakdown of the 72-hour vendor requirement →

4. Build and test your notification workflow. Don’t figure out your response while the clock is running. Prepare notification templates, define approval steps, and assign communication chains. Run a tabletop exercise so your team can execute under pressure.

5. Document everything — including non-events. From first alert to final notification, every decision needs to be logged. Here’s the part most firms miss: if your team reviewed a potential incident and determined notification was not required, you still need a written record of that determination — what was reviewed, what was found, and why notification wasn’t warranted. The absence of a documented decision is itself a compliance gap.

From Compliance to Confidence

At itSynergy, we help RIA firms turn regulatory pressure into competitive advantage. We don’t just build cybersecurity systems. We build confidence into your compliance — so when June 3 arrives, you’re ready.

Our RIA-focused cybersecurity and managed services include:

• Continuous network monitoring and centralized logging to detect incidents before they escalate
• Vendor oversight support aligned to the 72-hour requirement
• Incident response planning and tabletop testing tailored to RIA regulatory expectations
• Secure data backup and disaster recovery to ensure continuity under any scenario

Because we hold both IACCP® (Investment Adviser Certified Compliance Professional) and CEH (Certified Ethical Hacker) credentials, we understand both the compliance details and the technical realities that RIAs face — a combination that very few IT providers can bring to the table.

Final Thought: June 3 Is Closer Than It Looks

Reg S-P’s 30-day notification rule reflects what your clients already expect: transparency, accountability, and security. Large RIAs have been executing under this standard since December. Smaller RIAs join them on June 3.

The firms that are ready won’t just comply. They’ll lead.

Is your firm exam-ready? Get a free 30-minute SEC compliance review with itSynergy before June 3