The SEC started a 30-day breach clock at your firm four months ago

Most CCOs don’t know it’s running.

On December 3, 2025, the SEC’s amended Regulation S-P took full effect for every registered investment adviser with $1.5 billion or more in AUM, every broker-dealer that isn’t a small entity under the Exchange Act, every investment company with $1 billion in net assets, and every funding portal. Smaller entities have until June 3, 2026, seven weeks away. Unlike NYDFS Part 500, there is no annual certification. No signature. No public attestation. Which is exactly why most firms quietly walked past the deadline without doing the work.

The rule requires four things most firms have not implemented.

First, a written incident response program designed to detect, respond to, and recover from unauthorized access to customer information. Not a paragraph in the WISP, a documented program with detection, containment, recovery, and notification procedures, operationally tested, with named roles. Most firms have a one-page IRP carved out of a 2019 policy. That doesn’t qualify.

Second, customer notification as soon as practicable but no later than 30 days after becoming aware that unauthorized access has occurred or is reasonably likely to have occurred. “Reasonably likely” is the trap. The clock starts at suspicion, not forensic certainty. Most firms cannot say when the clock starts or who pulls the trigger.

Third, service provider oversight. Written procedures requiring third parties with access to customer information to notify the firm within 72 hours of any breach at their end. That’s a contract amendment with every fund administrator, cloud provider, compliance consultant, and MSP. Most firms have done none of it.

Fourth, recordkeeping. Documentation of the program, the testing, the incidents, the notifications, the vendor oversight. SEC examiners read what’s documented, not what was intended.

The first examination cycle after December 3 is running now. Examiners are asking for the IRP, the vendor amendments, the incident logs. Firms that improvised compliance are about to learn that an exam letter is itself a compliance test. The first breach at a firm with a defective IRP will not be a privacy incident, it will be an enforcement matter.

We don’t deploy juniors to draft incident response programs that SEC examiners will read. Senior SMEs only. The exam window is open. June 3 is seven weeks away. Build the program before the breach forces it.