The SEC’s proposed cybersecurity rule for investment advisers was withdrawn in 2025. But, Regulation S-P isn’t going away. Here’s what RIAs need to operationalize now.
The SEC’s proposed cybersecurity rule for investment advisers was withdrawn in 2025 without being finalized, leaving Regulation S-P — and its 2024 amendments — as the primary framework RIAs are working through.
The updates added written incident response requirements, a customer-notification framework with a 30-day outer deadline, expanded service provider oversight obligations, and recordkeeping expectations. The SEC’s FY 2026 examination priorities reinforce these areas by highlighting Reg S-P compliance, governance practices, and third-party oversight. For smaller entities, a June 3, 2026 compliance deadline makes the timeline concrete.
This is the environment RIAs are operating in now. A set of obligations already in effect on a tiered schedule, being tested in examinations, and intersecting with how firms actually manage vendors, technology, and incidents.
What the 2024 Reg S-P Amendments Actually Require
For many RIAs, Reg S-P had long functioned as a privacy-and-safeguards rule: annual notices, general data protection standards, something compliance managed in the background. The 2024 amendments made it more specific about several things that previously had more room for interpretation.
SEC-registered investment advisers must now maintain a written incident response program that addresses unauthorized access to or use of customer information. When a qualifying incident occurs, firms have a notification obligation — affected individuals must be notified as soon as practicable, and no later than 30 days after the firm becomes aware.
The amendments also expand service provider oversight. Firms need written contracts and oversight processes that address data protection, notification expectations, and ongoing review as vendor environments evolve.
Recordkeeping requirements tied to the amended rules were added as well, specifically to support the SEC’s inspection and enforcement capabilities.
The SEC has signaled through outreach and exam activity that it expects firms to maintain and produce these records. This is more than simply describing their intentions. This distinction becomes clear during examinations.
RIA Compliance Gaps to Avoid
Weak controls don’t always create the greatest examination exposure. More often, the problem is the program. A program built for a different operating environment and hasn’t been updated to match how the firm actually runs today.
Common patterns include:
The policy-practice gap
Workflows evolve. Vendors change. New platforms get adopted. But documented procedures tend to stay static. A firm’s written incident response program might still reference personnel who have left, systems that have been replaced, or escalation paths that no longer reflect how decisions actually get made. When an examination or an actual incident exposes that gap, it becomes difficult to explain.
Vendor blind spots
Many RIAs rely on outside providers for portfolio systems, reporting, document management, client communications, and cybersecurity operations. Often times they depend on a half-dozen or more. The amended Reg S-P rules are specific about what oversight looks like. This includes written contracts, defined notification expectations, a clear understanding of how vendors handle covered data, and ongoing reviews as vendor environments change. Due diligence at onboarding is no longer sufficient by itself.
Evidence gaps
There’s a meaningful difference between having controls in place and being able to demonstrate that those controls are working. Firms that have solid technical infrastructure but scattered or outdated documentation often have a harder time with examination readiness than they anticipate. The SEC’s outreach on Reg S-P has specifically referenced the maintenance and production of policies, procedures, books, and records.
Incident response programs that exist only on paper
A written program satisfies the letter of the requirement. A program that’s been tested, assigned to named individuals, and rehearsed under realistic conditions is what the rule is designed to produce. RIAs that haven’t conducted tabletop exercises or reviewed their response assumptions since the program was first drafted may find that the first real test is an examination.
How RIAs Can Assess Reg S-P Readiness
These questions are a useful starting point for evaluating where your firm stands. They’re drawn from the SEC’s examination priorities, the amended rule’s specific requirements, and the patterns that frequently come up in firm assessments.
Customer information inventory
- Do you know what sensitive customer information your firm holds, where it resides, and who has access?
- Can that inventory be updated as your firm’s technology and vendor environment changes?
Written incident response program
- Is there a documented program in place that assigns roles, defines escalation paths, and addresses the customer notification requirement?
- Has the program been reviewed and updated within the last 12 months?
Vendor oversight
- Are service provider relationships documented with written contracts that include notification expectations and data handling requirements?
- Do you have a process for reviewing those relationships on an ongoing basis, not just at onboarding?
Recordkeeping and evidence
- Can your firm produce current written policies, records of vendor oversight activity, access reviews, and documentation of past incidents or response decisions?
- Would those records hold up under examination?
Policy-practice alignment
- When were written procedures last reviewed against how work actually gets done?
- Do they reflect current technology, current vendors, and current workflows?
Tabletop testing
- Has the incident response program been tested?
- Do the people responsible for executing it — including any third-party partners — understand their roles and the firm’s notification timeline obligations?
Cybersecurity Controls as Compliance Infrastructure
Cybersecurity and Reg S-P compliance aren’t separate tracks. The technical controls that your firm maintains — access management, endpoint protection, cloud configuration, logging and monitoring — are part of what makes your compliance program work. Logging supports investigations. Access controls protect customer information. Detection capabilities determine how quickly your firm can assess whether an incident has triggered notification obligations.
The SEC’s FY 2026 exam priorities continue to focus on governance practices, data loss prevention, access controls, account management, ransomware preparedness, and emerging technology risks — including controls for AI-related exposures and evolving malware techniques. Those are the infrastructure that make your written program Reg S-P credible.
FINRA’s 2026 oversight report, directed at broker-dealers but broadly representative of the regulatory environment, reinforces the same themes: cyber-enabled fraud, third-party risk, and the compliance dimensions of AI adoption are all areas of active focus. For RIAs, the relevant exam authority is the SEC, but the industry-wide direction is consistent.
Staying Ready as the Environment Changes
The operating environment for RIAs is constantly shifting. Cloud platforms evolve, vendors add features without always notifying clients, and AI-enabled tools appear inside software firms already use — sometimes without a deliberate adoption decision. Remote access dependencies introduced during the pandemic have become permanent infrastructure for many firms. Each of those changes has the potential to affect how customer information flows through your organization — and whether your existing policies still accurately describe what’s happening.
Your best bet for sustained examination readiness is to treat Reg S-P compliance as a daily operating function. That means scheduling regular reviews of policies, vendor relationships, and incident response assumptions. It means testing those assumptions before an examination does. And it means maintaining the kind of evidence trail that allows your firm to demonstrate that its program is working.
For firms working to strengthen Reg S-P readiness, start with tightening policies, spelling out vendor oversight processes, and aligning documentation with how your business actually operates.