Reg S-P’s 30-Day Customer Notification Requirement: What RIAs Must Do After a Data Breach

When a data breach occurs at your RIA firm — or at a vendor holding your client data — you have 30 calendar days to notify affected customers. Not 30 business days. Not 30 days from the conclusion of your forensic investigation. Thirty calendar days from the point at which your firm becomes aware of the incident.

This is one of the most operationally demanding requirements in Reg S-P’s 2024 amendments, and it is one that most small RIA firms are not currently equipped to execute. They have no written procedure for it, no defined decision protocol for determining when the notification trigger is met, and no template for the notification itself. If a breach occurred today, many of these firms would still be deciding who to call after the 30-day window had already closed.

The Legal Framework: What Reg S-P Actually Says

Under SEC Release No. 34-100155, covered institutions — including SEC-registered investment advisers — must notify individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The notification must occur “as soon as reasonably practicable, but not later than 30 days” after the firm becomes aware of the breach.

There are several important layers packed into that language:

• “Sensitive customer information” is defined broadly to include Social Security numbers, financial account numbers, credit card numbers, and any other information that could be used to commit identity theft or fraud against the customer
• “Accessed or used without authorization” includes incidents where unauthorized access occurred but there is no confirmed evidence of actual use or exfiltration — the risk of harm is sufficient to trigger notification in many cases
• “Reasonably likely to have been” — the standard is not certainty; it is likelihood, which means investigation inconclusion does not stop the clock
• “Becomes aware” — the clock starts when your firm has actual knowledge of an incident, not when the investigation concludes or when a vendor confirms the breach scope

What Triggers the 30-Day Clock

Understanding the trigger is critical because firms routinely misidentify when the clock starts. The trigger is awareness of a potential unauthorized access event involving sensitive customer information — not confirmation of harm, not completion of forensic analysis, not vendor notification of the full scope of the breach.

Direct Incidents at Your Firm

• A phishing attack that compromised an employee email account with access to client files
• Ransomware infection that encrypted client data folders
• An employee who accessed and exfiltrated client data before departing
• Discovery that unauthorized third-party access to your CRM or financial planning system occurred
• Loss or theft of a device containing unencrypted client data

Vendor-Side Incidents

This is where the two compliance timelines collide. When a service provider notifies you — under the 72-hour contractual notification requirement — that an incident occurred on their platform that may have involved your client data, your 30-day clock starts from the moment you receive that notification, not from when the vendor completes its investigation.

A major CRM or portfolio management platform might take weeks to complete a forensic investigation. If they notify you on day one that an incident occurred involving your data, you have 30 days from that notification — not 30 days from the end of their investigation. Your notification procedure must account for situations where you are notifying customers with incomplete information about the breach scope because the vendor’s investigation is still in progress.

Who Must Be Notified

Notification is required for individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. In practice, this means:

• Current clients whose data was involved in the incident
• Former clients whose data was stored and involved in the incident — the obligation does not end when the client relationship ends if the data is still retained
• Prospective clients whose data was collected and stored but who never became active clients

For vendor-side incidents where the full scope is not yet known, your notification procedure should address whether to notify conservatively — a broader set of potentially affected individuals — or to wait for scope confirmation and risk missing the 30-day window for some customers. The SEC’s Release No. 34-100155 guidance indicates that when the scope of a breach is uncertain, covered institutions should err toward notification rather than waiting for forensic confirmation. The 30-day clock does not pause for investigation.

What the Notification Must Contain

Reg S-P specifies that customer notifications must include, at a minimum:

• A description of the incident: What happened, when it occurred (to the extent known), and what type of information was involved
• A description of the information involved: What specific categories of sensitive customer information were or may have been accessed
• What the firm has done or is doing: Steps taken to contain the incident and prevent further unauthorized access
• What the customer should do: Steps customers can take to protect themselves — placing fraud alerts, monitoring credit reports, reviewing account statements
• Contact information: A specific point of contact at the firm for questions about the incident, with actual contact details (not a general firm phone number)

The notification must be clear, plain-language, and not buried in legal disclaimers. Regulators reviewing notification letters have found fault with letters that technically contained all required elements but presented them in language designed to obscure rather than inform. The regulatory standard is whether a customer receiving the letter would actually understand what happened and what to do next.

Method of Notification

The regulation provides flexibility in notification method, but the default requirement is written notice delivered to the customer’s last known address. Electronic notice is permissible when the customer has consented to electronic communications. For most advisory firms with modern client portals and e-delivery consents on file, electronic notification is both permissible and faster.

Your 30-Day Customer Notification Procedure must specify the notification method your firm will use, the process for verifying that current addresses or email addresses are on file, and how the firm handles customers whose contact information is outdated or unavailable.

The Interaction with State Breach Notification Laws

Reg S-P’s 30-day notification requirement operates in parallel with — not instead of — state data breach notification laws. Most states have their own breach notification statutes, with their own definitions of what constitutes a breach, their own notification timeframes, and their own content requirements. Many state laws have shorter timeframes than 30 days.

California’s Consumer Privacy Act requires notification “in the most expedient time possible and without unreasonable delay.” New York’s SHIELD Act requires notification “in the most expedient time possible.” Texas requires notification “as quickly as possible” and no later than 60 days. These state law obligations do not disappear because Reg S-P imposes a 30-day federal deadline.

Your notification procedure must comply with the most restrictive applicable law. If California law requires notification “without unreasonable delay” and Reg S-P gives you 30 days, you operate on California’s standard for California clients. This means your procedure must be jurisdiction-aware — not a single notification template, but a procedure that identifies which state laws apply to which clients and sequences notification accordingly.

Safe Harbor Provisions

Reg S-P provides a safe harbor that, if certain conditions are met, eliminates the customer notification requirement even if sensitive customer information was involved in an incident. The safe harbor applies when:

• The covered institution has determined, after a reasonable investigation, that the sensitive customer information that was accessed or used without authorization is not reasonably likely to result in substantial harm or inconvenience to affected customers; and
• The covered institution documents that determination and the basis for it

The safe harbor is meaningful but narrow. It requires an actual investigation with documented findings. It requires a documented determination by the firm — not just an assumption — that harm is not reasonably likely. And it requires that the documentation be retained as part of the firm’s six-year recordkeeping obligation.

Firms sometimes misapply this safe harbor by treating it as a general “our breach was small, so we don’t need to notify” exception. That is not how it works. Without a documented investigation and a documented determination, the safe harbor does not apply. And the safe harbor does not apply to vendor-side breaches where the full scope of information accessed is not yet known.

Red Flags: What an Inadequate Notification Procedure Looks Like

When SEC examiners review a firm’s 30-Day Customer Notification Procedure — if the firm has one at all — these are the deficiencies they find most commonly:

• No defined trigger: The procedure references “data breaches” without defining what constitutes a breach or when the clock starts
• No clock management: No mechanism for tracking when the 30-day window expires for a specific incident
• No draft notification template: The procedure says the firm will notify customers but does not specify what the notification will say or who will draft it
• No state law mapping: The procedure addresses only the federal 30-day deadline without considering state-specific shorter timeframes
• No safe harbor documentation process: No procedure for documenting safe harbor determinations, which means the safe harbor is effectively unavailable to the firm when needed
• No integration with the IRP: The notification procedure exists as a standalone document with no connection to the Incident Response Plan, which means in an actual incident the two procedures may conflict or create gaps

The Real Risk: What Happens When Notification Fails

Failure to comply with the 30-day notification requirement is a direct SEC violation that does not require an examiner to find inadequate documentation — it is provable from the fact of the breach and the absence of timely notification. Unlike some Reg S-P requirements that can be partially mitigated by demonstrating good-faith effort, missing the notification deadline is a binary violation.

Beyond SEC enforcement, failure to notify affected customers within the required timeframe creates direct civil liability exposure. Affected customers have a clear basis for claims that the firm’s failure to notify them promptly prevented them from taking protective action — freezing credit, monitoring accounts, changing credentials — and that this failure caused measurable harm.

The 30-day notification requirement is not an obscure technicality. It is a concrete obligation with a hard deadline, and firms that experience breaches without having this procedure documented and operational will face consequences that compound quickly.

What a Compliant Procedure Looks Like in Practice

A compliant 30-Day Customer Notification Procedure for a small RIA:

• Defines precisely what events trigger the notification obligation
• Establishes a clear 30-day tracking mechanism with specific check-in points
• Identifies the person responsible for making the notification decision
• Includes a notification letter template with all required elements pre-drafted
• Addresses both federal and state notification requirements with a jurisdiction matrix for the firm’s client base
• Documents the safe harbor determination process and recordkeeping requirement
• Integrates with the firm’s Incident Response Plan so the notification trigger is embedded in the IRP’s incident assessment phase
• Addresses vendor-side incidents where notification is triggered by the 72-hour vendor notification the firm receives

This is not a five-paragraph policy statement. It is an operational procedure that tells your firm exactly what to do, in what order, by what deadline, with what content, and how to document that it happened.

The Bottom Line on 30-Day Notification

The 30-day requirement is operationally demanding because it requires speed during the worst possible moment — an active incident. The firms that execute this well are not the ones who have it memorized. They are the ones who have a written procedure, a pre-drafted notification template, and a decision protocol so that when an incident occurs, no one is figuring out what to do while the clock runs.

Get It Done Before June 3, 2026

The deadline for small RIAs is June 3, 2026. The notification procedure is one of five required compliance deliverables that must be in place by that date. It must be current, firm-specific, integrated with your IRP, and aligned with your state law obligations.

If you do not currently have a documented 30-Day Customer Notification Procedure that meets these standards, you have a gap that needs to close now — not in May 2026 when the deadline is two weeks away.

Get your firm’s complete Reg S-P compliance package — including a firm-specific 30-Day Customer Notification Procedure, Written IRP, and all other required deliverables, attorney-reviewed and delivered in 3 business days — at mrfixitgeeks.com/reg-sp-compliance.