What are the four core obligations under amended Regulation S-P?

1. Written incident response program. 2. Customer notification within 30 days. 3. Service provider oversight. 4. Recordkeeping for at least five years.

What is the 72-hour reporting requirement?

Service provider agreements must include provisions requiring vendors to notify the RIA of a breach within 72 hours.

Reg S-P Compliance Checklist for RIAs Before The Deadline (NEEDS VIDEO)

Harrison Baron
Apr 13
15 min read

If you run an RIA and manage less than $1.5 billion in assets, this Reg S-P compliance checklist for RIAs covers what you need before the deadline on June 3, 2026.

The SEC's amended Regulation S-P requires you to have a written incident response program, a customer notification process, vendor oversight documentation, and exam-ready records.

These are not optional upgrades. They are enforceable requirements that SEC examiners will look for during your next review.

Many RIAs assume they have more time than they actually do.

Building out compliant policies, updating vendor contracts, testing incident response workflows, and organizing five years of documentation takes months of coordinated effort across legal, compliance, and IT.

If your firm has not started this work yet, the window to get it done properly is closing fast.

This article walks through seven checklist items you need to address before the compliance date.

Each item includes specific requirements, practical guidance, and the kind of documentation that holds up under examination.

Key Takeaways

Every SEC-registered RIA must comply with amended Regulation S-P by June 3, 2026, regardless of firm size, so treat the deadline as a hard stop for all seven checklist items.
The rule requires a written incident response program, 30-day customer notification capability, vendor oversight documentation, data safeguards, and five years of recordkeeping.
Compliance depends on coordination between your legal counsel, compliance team, and IT or cybersecurity partners, and starting now gives you time to test and fix gaps before examiners arrive.

Reg S-P Deadline Snapshot for RIAs

The SEC adopted amendments to Regulation S-P on May 15, 2024, creating a two-phase compliance timeline based on assets under management.

Larger firms have already reached their deadline.

Smaller RIAs have until June 3, 2026, but that date is closer than most realize.

Who Must Comply by June 3, 2026

If you are an SEC-registered investment adviser with less than $1.5 billion in regulatory assets under management, your compliance deadline is June 3, 2026.

This applies to the full scope of the amended rule, including incident response programs, customer notification procedures, vendor oversight, and recordkeeping.

As noted by Parker MacIntyre's RIA compliance analysis, the compliance deadlines are firm.

Larger entities, those with $1.5 billion or more in AUM, were required to comply by December 3, 2025.

How the 1.5 Billion AUM Threshold Changes the Timeline

The $1.5 billion AUM threshold determines only the compliance date, not the scope of what is required.

Both large and small RIAs face the same obligations under the amended Regulation S-P.

Smaller firms simply have a later deadline.

This means you can look at how larger firms have already implemented their programs and learn from their experience.

It also means SEC examiners have already started reviewing larger firms under the new standards, which gives you a preview of what they will expect from you.

Why Smaller RIAs Cannot Treat This as a Last-Minute Project

Building a compliant program involves written policies, vendor contract renegotiation, notification templates, data mapping, staff training, and documentation systems.

Each of these workstreams requires input from legal counsel, your compliance team, and your IT or cybersecurity partner.

Waiting until Q2 2026 means compressing months of work into weeks.

Vendor contract amendments alone can take 30 to 60 days to negotiate and execute.

As Goodwin's analysis of the regulation notes, the amendments require firms to adopt breach response plans, notify customers, and oversee vendors on a timeline that demands preparation.

What the Amended Rule Requires at a Glance

The amended Regulation S-P expands what you must do to protect customer information, how you respond to incidents, and what you document.

It builds on the Gramm-Leach-Bliley Act framework but adds specific, enforceable requirements around incident response, notification, and vendor management.

The Four Core Obligations Under Amended Regulation S-P

Your firm must meet four primary requirements:

Written incident response program with policies and procedures for detecting, responding to, and recovering from unauthorized access to customer information.
Customer notification within 30 days of discovering a breach involving sensitive customer information, unless a reasonable investigation determines no substantial harm or inconvenience is likely.
Service provider oversight through written agreements and ongoing monitoring to ensure vendors protect customer information and report incidents within 72 hours.
Recordkeeping that documents your policies, incident investigations, notification decisions, and compliance activities for at least five years.

A high-level checklist from Sidley Austin outlines these same core areas as the focal points for compliance preparation.

How Customer Information Scope Has Expanded

The amendments apply to all nonpublic personal information, which is broader than many firms realize.

This includes data you collect directly from clients, data generated through transactions, and data received from third parties.

It covers both digital and physical records.

The SEC's small entity compliance guide clarifies that "sensitive customer information" is any piece of nonpublic personal information that could result in substantial harm or inconvenience to the individual if accessed without authorization.

This includes Social Security numbers, account numbers, and financial data.

Why This Is Both a Compliance and Cybersecurity Issue

Meeting Regulation S-P is not just about having the right paperwork.

The rule requires real security controls: endpoint protection, encryption, access management, monitoring, and secure disposal of data.

As the IAPP noted in its analysis, the amendments reflect the SEC's recognition that financial firms must reassess how they collect, store, and protect customer information in today's environment.

Your compliance program and your cybersecurity program must work together.

Checklist Item 1: Written Incident Response Program

The foundation of your amended Reg S-P compliance is a written incident response program.

This is not a generic IT document.

It must address specific regulatory requirements and be tailored to your firm's operations, systems, and data environment.

What Written Policies and Procedures Must Cover

Your incident response program must include written policies and procedures that address how your firm will detect unauthorized access to customer information, assess the scope and nature of any incident, and take steps to contain and remediate the issue.

According to Sidley Austin's detailed checklist, your written policies must specifically cover:

Assessment and reasonable investigation of any incident
Identification of affected customer information systems
Containment and remediation steps
Customer notification decision-making
Coordination with service providers

The program cannot be a static document that sits in a filing cabinet.

It must reflect how your firm actually operates.

Roles, Escalation Paths, and Decision Authority

Every incident response program needs clear role assignments. Who receives the initial alert?

Who conducts the investigation? Who decides whether customer notification is required?

As outlined by the National Law Review's analysis of the amendments, the SEC expects registered investment advisers to adopt programs with defined escalation paths.

If your compliance officer is on vacation and a breach occurs, your plan must account for that scenario.

Document the following for each role: Name and title, Backup or alternate contact, Decision authority level, and Communication responsibilities.

Containment, Recovery, and Reasonable Investigation Standards

When an incident occurs, you must conduct a "reasonable investigation" to determine whether sensitive customer information was actually compromised.

This is not a vague standard. Examiners will look for documented evidence that your firm took deliberate steps to assess the scope.

Your program should define what containment looks like for your environment. This might include isolating affected endpoints, revoking compromised credentials, or disabling a vendor's access.

Adviser Compliance Consulting notes that firms should redesign incident response procedures to align with the new safeguards.

Recovery procedures should address restoring systems, validating data integrity, and preserving forensic evidence for your investigation records.

Partners like Secure Wealth IT that specialize in financial firm cybersecurity can help design containment and recovery workflows that align with both NIST standards and Reg S-P requirements.

Checklist Item 2: 30-Day Customer Notification Readiness

The 30-day customer notification requirement is one of the most significant additions to Regulation S-P.

You need a tested process ready to execute before an incident occurs, not a plan you scramble to create after discovering a breach.

When the Customer Notification Requirement Is Triggered

You must notify affected customers when your firm becomes aware of an incident involving unauthorized access to or use of sensitive customer information.

The 30-day clock starts when you learn of the breach, not when you finish your investigation.

There is one exception. If your firm conducts a reasonable investigation and determines that the sensitive customer information has not been and is not reasonably likely to be used in a way that would cause substantial harm or inconvenience, notification is not required.

You must document that determination thoroughly.

As Ropes & Gray explains, this exception is narrow.

If you cannot identify which specific clients may be affected, you must notify all of your clients.

How to Assess Substantial Harm or Inconvenience

Your investigation must evaluate the type of data involved, the likelihood it was actually accessed or used, and the potential consequences for affected clients.

Social Security numbers and account credentials carry a higher risk than a client's name alone.

Document the factors you considered, the evidence you reviewed, and the reasoning behind your conclusion.

SEC examiners will want to see that this was a deliberate process, not a cursory decision to avoid notification.

What a Defensible Notification Workflow Should Include

Build a workflow that starts the moment you detect a potential incident:

Trigger identification: Define what events initiate the notification assessment.
Investigation timeline: Set internal deadlines shorter than 30 days to allow time for review and approval.
Decision documentation: Record who made the notification decision and why.
Notification delivery: Establish delivery methods (email, mail, or both) and tracking.
Follow-up: Plan for client inquiries and ongoing communication.

As itSynergy highlights, when a data incident happens, the clock starts ticking fast.

Building this workflow in advance is the only way to consistently meet the 30-day deadline.

Checklist Item 3: Notification Content, Templates, and Escalation

The SEC does not leave notification content to your discretion.

The amended rule specifies exactly what your client notices must include, and missing any required element could create exam findings.

What Client Notices Should Say

According to the amended Regulation S-P requirements outlined by Parker MacIntyre, every customer notification must include:

A description of the breach and the types of client information affected
What your firm has done to protect information from further breach
The date or estimated date range of the breach, if known
Contact information, including a phone number, email, mailing address, and a specific office name
A recommendation that clients review account statements and report suspicious activity
An explanation of how to place fraud alerts on credit reports
A recommendation to regularly check credit reports and remove fraudulent information
Instructions on how to obtain free credit reports
FTC contact information, the FTC website address, and guidance on reporting identity theft

This is a detailed list. Missing even one element creates a gap that an examiner can flag.

How Notification Templates Reduce Delays

Pre-built notification templates allow your team to respond quickly without starting from scratch during a crisis.

Create templates for different breach scenarios: compromised credentials, unauthorized system access, vendor-related incidents, and ransomware events.

Each template should have placeholders for incident-specific details while including all nine required content elements.

Xantrion's S-P compliance checklist emphasizes having these components ready as part of your compliance program.

The Salus GRC compliance guide also provides practical tips for structuring these communications.

Internal Approvals and Communication Coordination

Define who must approve notification content before it goes out.

This typically involves your compliance officer, legal counsel, and a senior executive.

Set maximum review times for each approver so the 30-day deadline does not slip.

Coordinate with your IT team to confirm technical details included in the notice.

If your firm uses an outside cybersecurity partner, build them into the approval chain for accuracy on breach descriptions.

FINRA's compliance tools can also assist in structuring supervisory procedures around these communications.

Checklist Item 4: Service Provider Oversight and Vendor Contracts

The amended rule places direct responsibility on your firm for how service providers handle customer information.

Vendor oversight is no longer a best practice recommendation. It is a regulatory requirement with specific documentation expectations.

Which Service Providers Fall Within Scope

Any third party that receives, maintains, processes, or has access to your customer information falls within scope.

This includes custodians, portfolio management software providers, CRM platforms, cloud storage providers, email service providers, and IT support firms.

As Ncontracts points out, you likely have more vendors in scope than you think.

A single sub-adviser listing might represent ten separate service providers, each requiring individual assessment.

Start by building a complete vendor inventory that identifies every entity with potential access to nonpublic personal information.

Why 72-Hour Reporting Language Matters

The SEC expects your vendor agreements to include provisions requiring service providers to notify you of a breach within 72 hours.

This is critical because your own 30-day customer notification clock starts when you learn of an incident, not when the vendor discovers it.

If your vendor contracts do not include 72-hour breach notification language, you risk learning about incidents too late to meet your regulatory obligations.

Paul Weiss's memo on the amendments underscores this point as a key compliance requirement.

Review and amend existing contracts now. New vendor agreements should include this language from the start.

What Ongoing Vendor Oversight Should Document

Your written policies must address how you evaluate and monitor service providers on an ongoing basis.

This is not a one-time due diligence exercise.

According to Sadis & Goldberg's analysis, the amended rule requires maintenance of detailed records documenting vendor oversight.

ContinuityStrength's vendor oversight guide recommends documenting the following:

Initial vendor risk assessment results
Contract terms addressing data protection and breach notification
Evidence of periodic reviews (at least annually)
Vendor incident history and response performance
Corrective actions taken when issues are identified

Firms that work with IT partners like Secure Wealth IT, already aligned to SEC, FINRA, and NIST standards, can streamline this documentation through integrated vendor management and monitoring.

Checklist Item 5: Data Mapping, Safeguards, and Access Control

You cannot protect what you have not mapped.

Before your compliance date, you need a clear picture of where sensitive customer information lives, who can access it, and how it is secured throughout its lifecycle.

Where Sensitive Customer Information Lives

Conduct a thorough data mapping exercise that identifies every location where nonpublic personal information is stored, processed, or transmitted. This includes:

CRM systems (Redtail, Salesforce)
Financial planning tools (eMoney, MoneyGuidePro)
Portfolio management platforms (Orion, Tamarac)
Email systems (Microsoft 365, Google Workspace)
Cloud storage and file-sharing platforms
Physical files and local workstations
Backup and disaster recovery systems

As KPMG's analysis of the final amendments notes, covered entities must establish and maintain records documenting compliance with both the Safeguards and Disposal Rules. Data mapping is the starting point for both.

Access Management, Encryption, and Secure Data Handling

Once you know where data lives, restrict who can reach it. Apply the principle of least privilege: each user should have access only to the information they need for their job function.

Key controls include:

Multi-factor authentication on all systems containing customer data.

Encryption for data at rest and in transit.

Role-based access controls with periodic review.

Logging and monitoring of access to sensitive systems.

The Waystone compliance team emphasizes that these controls must be documented and reviewable. An examiner will ask not just whether you have MFA enabled, but whether you can show evidence of when it was implemented and how it is managed.

Disposal, Retention, and Third-Party Data Considerations

Your safeguards program must also address how customer information is disposed of when no longer needed. The Disposal Rule under Regulation S-P requires you to take reasonable measures to protect against unauthorized access during disposal.

This applies to digital data (secure deletion, drive wiping) and physical records (shredding, secure destruction). It also extends to data held by third parties on your behalf.

Your vendor agreements should specify disposal requirements when the relationship ends or when data is no longer needed.

The GLBA Safeguards Rule checklist from DataPath provides a useful framework for structuring these controls within your broader security program.

Checklist Item 6: Recordkeeping and Exam-Ready Documentation

The SEC has been explicit: document everything. Your recordkeeping obligations under the amended Regulation S-P extend to policies, procedures, incident investigations, notification decisions, and ongoing compliance activities.

What Records Must Be Retained for Five Years

The amended rule requires you to maintain the following records for a minimum of five years:

Written policies and procedures for safeguarding and disposing of customer information
Documentation of any detected unauthorized access or use of customer information
Records of any investigation conducted after an incident
Customer notification records, including content, delivery method, and timing
Records supporting a decision not to notify customers (including the reasonable investigation)
Evidence of service provider oversight activities

As SEC3 Compliance notes, examiners are coming, and they will expect these records to be organized and accessible.

How to Document Incidents That Did Not Require Notification

This is an area where many firms fall short. If you investigate an incident and determine that customer notification is not required, you must still document that decision in detail.

Your records should include:

What happened, and when it was discovered.

What investigation steps were taken?

What evidence supported the conclusion?

Who made the final determination?

Why did you conclude that substantial harm or inconvenience was not reasonably likely?

Ncontracts' Regulation S-P self-assessment highlights this as a common gap in compliance programs.

Building an Exam-Ready Documentation System

Organize your records so they can be produced quickly during an SEC examination. A disorganized file system creates the same risk as missing documentation.

Use a centralized compliance platform or structured folder system that separates:

Policies and procedures.

Incident records.

Vendor oversight files.

Training and testing evidence.

Notification records and decision logs.

SmartRIA's compliance tracker is one example of a tool designed to keep deadlines, action items, and documentation in one place. An RIA compliance checklist from SmartAsset also provides a broader framework for organizing your compliance records.

Checklist Item 7: Training, Tabletop Exercises, and Testing

A written plan means nothing if your team cannot execute it under pressure. Training and testing are not optional add-ons.

They are evidence of operational readiness that examiners expect to see.

Why Staff Training Is Part of Operational Readiness

Every employee who handles customer information or has a role in your incident response program must understand their responsibilities. Training should cover:

How to recognize potential security incidents
How and where to report suspected breaches
The firm's notification obligations and timelines
Each person's specific role in the response process

As Wipfli's analysis of the new SEC rules recommends, RIAs should conduct regular training and tabletop exercises with an experienced facilitator. Training should happen at least annually and whenever your policies change.

How Tabletop Exercises Expose Gaps Before an Incident

A tabletop exercise walks your team through a realistic incident scenario without the actual crisis. You simulate a breach, work through your response plan step by step, and identify where things break down.

Common gaps discovered during tabletop exercises include:

Unclear escalation paths when key personnel are unavailable.

Notification templates missing required content elements.

Vendor contact information is outdated.

No process for documenting investigation steps in real time.

ItSynergy recommends building these exercises into your compliance calendar. Run at least one before your June 2026 compliance date and document the results.

What to Capture as Evidence of Testing

Document every training session and tabletop exercise with:

Date and duration.

Attendee list.

Scenario description.

Findings and identified gaps.

Corrective actions taken and completion dates.

ACA Global's guidance on the amendments confirms that covered entities must document compliance activities. Training records serve as direct evidence that your program is operational, not just theoretical.

Common Gaps RIAs Should Fix Before the Deadline

Even firms that have started their compliance work often have specific blind spots that create risk during an examination. These gaps tend to cluster around vendor management, documentation of non-events, and over-reliance on generic templates.

Weak Vendor Agreements and Unclear Escalation Rules

Many RIAs have vendor agreements that predate the amended Regulation S-P. These contracts often lack 72-hour breach notification requirements, specific data protection obligations, or clear escalation protocols.

Review every vendor contract in scope. If the agreement does not address incident notification timing, data handling standards, and your right to audit, it needs to be amended.

ContinuityStrength's analysis identifies vendor oversight as one of the most common areas where smaller RIAs are underprepared.

Missing Documentation for Non-Events and Near Misses

When your firm investigates a potential incident and determines no breach occurred, that investigation still needs to be documented. Many firms skip this step because nothing "happened."

From an examiner's perspective, undocumented near misses are indistinguishable from incidents your firm failed to investigate.

Torchlight's analysis of the June 3 deadline emphasizes that your data security posture must be demonstrable. Build a habit of documenting every investigation, regardless of outcome.

Overreliance on Generic IT or Compliance Templates

Off-the-shelf templates can be a starting point, but they are not a compliance program. SEC examiners expect your policies to reflect your firm's actual technology environment, data flows, vendor relationships, and organizational structure.

A policy that references systems you do not use or omits platforms you depend on daily will not hold up under scrutiny. Customize every template to match your operations.

Firms that work with cybersecurity and compliance partners focused on financial services, such as Secure Wealth IT, can ensure that policies map directly to their actual infrastructure and toolset.

How to Prioritize Your Next 30, 60, and 90 Days

With the June 3, 2026, compliance date approaching, how you sequence your remaining work matters as much as what you do. A structured timeline keeps the project manageable and ensures nothing critical is left for the final weeks.

Immediate Actions if Your Program Is Incomplete

In the next 30 days, focus on the items that take the longest to complete or that other tasks depend on:

Complete your vendor inventory and identify contracts that need amendment.
Draft or finalize your written incident response program with specific roles, escalation paths, and investigation procedures.
Begin data mapping to identify all locations where sensitive customer information is stored or transmitted.
Engage legal counsel to review your notification templates and non-notification documentation standards.

As Reg Compliance Watch advises, you may be rolling the dice if you elect not to move forward with preparation, even amid uncertainty about enforcement posture.

How to Sequence Legal, Compliance, and IT Workstreams

During days 30 through 60, run your workstreams in parallel:

Workstream	Days 30-60 Focus
Legal	Finalize vendor contract amendments; review notification language
Compliance	Build a recordkeeping system; create investigation documentation templates
IT/Cybersecurity	Implement access controls; configure monitoring and logging; test backups

Frontline Compliance's overview of the new requirements notes that the SEC is moving forward with enforcement despite broader talk of deregulation.

Secure Wealth IT's 10-step compliance video provides additional sequencing guidance for RIAs, broker-dealers, and transfer agents working toward the deadline.

What Readiness Looks Like on the Compliance Date

By day 90 and the compliance date, your firm should be able to demonstrate:

A written, board-approved incident response program
Pre-built notification templates with all nine required content elements
Amended vendor contracts with 72-hour notification and oversight provisions
A complete data map with access controls, encryption, and disposal procedures documented
A centralized recordkeeping system with a five-year retention capability
Evidence of at least one tabletop exercise and staff training session
Documentation templates for both notification and non-notification decisions

COMPLY's guide to Regulation S-P reinforces that implementing these practices strengthens your compliance program.

Start with the gaps you know about. Sequence the rest methodically, and build a compliance program that reflects how your firm actually operates.

For more information about this topic, visit us at https://www.securewealthit.com/