SEC Reg S-P Compliance Checklist for RIAs

10-item checklist for registered investment advisers with assets under management below $1.5B. Maps every amended Reg S-P requirement to a concrete written deliverable.

Deadline: June 3, 2026

Applies to: SEC-registered RIAs < $1.5B AUM

Version: 2026-05-19

How to use this checklist: Each item requires a written, documented artifact — verbal policies and informal practices do not satisfy the amended rule. Work through every item. If you cannot check it off, that is a compliance gap. Any unchecked item before June 3 represents active regulatory exposure.

Section 01

Written Program Requirements

Item 01 / 10

Written Incident Response Program (IRP)

The rule requires a written IRP covering detection, containment, eradication, and recovery from cybersecurity incidents involving customer information. Must be a formal written document with named personnel assigned to each phase.

→ Deliverable: Written IRP document with detection, containment, eradication, and recovery procedures. Named roles. Retrievable during examination.

Item 02 / 10

30-Day Customer Notification Procedures

When an incident involves customer sensitive financial information, you must notify affected customers within 30 days of becoming aware. The clock starts at awareness — not the date of the breach. Requires written decision criteria, a notification template, and a documented escalation chain.

→ Deliverable: Written notification procedure with decision criteria, notification template, and escalation chain. Test the procedure before the deadline.

Item 03 / 10

Vendor Risk Assessment and Oversight Program

You must oversee service providers who access, maintain, or process customer information. A vendor list alone is insufficient. Requires a written oversight program, security questionnaire or review process, and contract language requiring safeguards and breach notification.

→ Deliverable: Written vendor management policy identifying all customer-data-touching vendors. Security questionnaire or review process for each. Contract clauses requiring notification of incidents promptly.

Item 04 / 10

Data Inventory and Classification

The rule's safeguards apply to "customer information" — you must know where it lives. Custodian platforms, CRM, email archives, cloud storage, spreadsheets, and third-party integrations must all be mapped. This inventory also feeds your vendor oversight program.

→ Deliverable: Documented data inventory identifying systems that store or process customer financial information. Classification by sensitivity. Linked to vendor oversight for any data flowing to third parties.

Section 02

Technical Controls

Item 05 / 10

Encryption of Customer Data

The SEC identifies encryption as a baseline control under "appropriate safeguards." Data at rest and data in transit must both be encrypted. Unencrypted customer data on portable devices, email, or unsecured cloud storage is a clear examination red flag.

→ Deliverable: Document encryption controls: systems with at-rest encryption, transmission channels using TLS, portable device full-disk encryption status. Identify and remediate gaps.

Item 06 / 10

Access Controls and Multi-Factor Authentication

Shared passwords, absent MFA on email or custodian portals, and unrestricted file access are common examination findings. Access to customer information must be limited to personnel who need it, verified by strong authentication, and reviewed regularly.

→ Deliverable: Documented access control policies. MFA enabled on all systems touching customer data. User permission review removing former employee access and restricting current employees to need-to-know. Document the review process.

Section 03

Operational Controls

Item 07 / 10

Annual Employee Security Training

Phishing is the leading initial access vector for financial services breaches. The rule requires the security program to address the human element. Annual training with completion records is the minimum. Topics must include phishing identification, customer data handling, and incident reporting.

→ Deliverable: Documented annual security awareness training program with completion records. Training log retainable for examination. Consider adding periodic phishing simulations.

Item 08 / 10

Data Retention and Disposal Procedures

The amended rule strengthens recordkeeping requirements. You need written policies governing how long customer information is retained, in what format, and how it is disposed of when retention periods expire. Customer data in forgotten email archives or decommissioned systems is both a security risk and a regulatory liability.

→ Deliverable: Documented data retention schedule aligned with SEC Books and Records requirements. Written procedures for secure disposal of physical and electronic records. Document actual disposal activities.

Item 09 / 10

Annual Program Review

The amended rule explicitly requires an annual review of the security program's effectiveness. This must result in documented findings and program updates — not a box-check. A penetration test or vulnerability assessment scheduled as part of the annual review demonstrates the review is substantive.

→ Deliverable: Documented annual review process with written output (findings + updates). Schedule the next review date. An external security assessment provides independent validation that satisfies examination scrutiny.

Item 10 / 10

Recordkeeping — Written Policies and Central Repository

Every element above must be documented in writing and retained. If you cannot produce a written artifact during an examination, the control is treated as non-existent. The amended rule extends recordkeeping requirements to all written security program documentation.

→ Deliverable: Central repository (shared drive, compliance software, or document management system) where all security program documents are organized, versioned, and accessible. Confirm security records are covered by your existing retention schedule.

Notes

Review Notes / Gaps Identified

Use this space to note gaps, responsible parties, and target completion dates for unchecked items.