SEC Reg S-P: Every Broker-Dealer Needs a Written Incident Response Program by June 3, 2026
The SEC isn't playing around. Amended Regulation S-P (Rule 248.30) now requires every broker-dealer, investment adviser, and transfer agent to maintain a Written Incident Response Program (WIRP) for cybersecurity incidents involving customer information.
The compliance deadline for broker-dealers is June 3, 2026. That's 65 days away.
What Is a WIRP?
A Written Incident Response Program is a formal, documented plan for how your firm will:
- Detect unauthorized access to customer information
- Respond to cybersecurity incidents
- Notify affected individuals within required timeframes
- Recover systems and data
- Document everything for regulatory examination
This isn't optional guidance — it's a rule with examination and enforcement consequences.
What the SEC Requires in Your WIRP
The amended Rule 38a-1 and supporting guidance specify that your WIRP must address:
Incident Detection & Assessment
- How your firm identifies potential breaches
- Classification framework (severity levels)
- Escalation procedures
- Initial assessment protocols
Response Procedures
- Containment steps for different incident types
- Forensic investigation process
- Evidence preservation requirements
- External expert engagement criteria
Notification Requirements
This is the big one. The amended rule requires:
- Individual notice to affected customers "as soon as practicable" but no later than 30 days after discovery
- Notice must include: description of the incident, types of information involved, contact information, and steps individuals can take
- Notice to the SEC via Form ADV or other filing
Recovery & Business Continuity
- System restoration procedures
- Data recovery processes
- Business continuity activation
- Post-incident review
Annual Testing & Review
- The WIRP must be tested annually
- The CCO must review and certify the program
- Updates required after material changes or actual incidents
What Happens If You Don't Comply?
The SEC's Division of Examinations has already flagged Reg S-P WIRP compliance as a 2026 examination priority. Expect:
- Deficiency letters during routine exams
- Referrals to Enforcement for repeated non-compliance
- Potential fines under Section 21B of the Securities Exchange Act
The Compliance Gap
Most small-to-mid-size BDs don't have a WIRP. They have:
- An informal "call the IT guy" process
- Maybe a paragraph in their compliance manual
- Nothing that meets Rule 38a-1 requirements
A compliance attorney will charge $5,000–$15,000 to draft a custom WIRP. You'll wait 3–6 weeks.
Generate Your BD WIRP in Minutes
BDWIRPKit generates a comprehensive Written Incident Response Program tailored to your broker-dealer — covering all Rule 38a-1 requirements, notification procedures, and annual testing frameworks.
Generate Your WIRP — $199.99Timeline for Compliance
Here's a realistic timeline if you start today:
| Week | Action |
|---|---|
| Week 1 | Generate WIRP draft, begin attorney review |
| Week 2-3 | Attorney customization and approval |
| Week 4 | CCO review and board/management adoption |
| Week 5-6 | Staff training on the program |
| Week 7 | Initial tabletop test |
| Week 8 | Documentation complete, compliance achieved |
With 9 weeks until the deadline, you need to start now. The hardest part — the initial draft — can be done in minutes.