5 Reg S-P Requirements Most RIAs Are Still Missing With 54 Days Left

1. Written incident response program

What the SEC requires

The amended Regulation S-P requires every registered investment adviser to adopt a written incident response program. Not a policy. Not a paragraph in your compliance manual. A program — one that covers detection, assessment, containment, notification, and recovery. Each phase must have specific procedures documented for your firm.

Why most firms miss it

Because they bought a template. A generic incident response policy that says "the firm will respond to security incidents in a timely manner" satisfies nobody. The SEC wants to see your specific procedures: Who detects the incident? What tools are they using to detect it? Who do they call first? What is the escalation path? How do you contain a compromised email account versus a ransomware infection? These are different incidents requiring different responses, and your program needs to reflect that.

What happens if the SEC finds this gap

An exam finding of "no incident response program" or "inadequate incident response program" leads to a deficiency letter at minimum. If the gap is discovered after an actual breach, the consequences escalate: the SEC will argue that the lack of a program contributed to the severity of the breach, the delay in notification, or both. That turns a security incident into an enforcement action.

How to fix it before June 3

Build a program that covers all five phases with procedures specific to your firm. Name the people responsible. List the tools you use for detection. Define what constitutes an incident at your firm. Write the escalation procedures. Then test it — run a tabletop exercise with your team. Document that you tested it and what you learned. The SEC values tested programs over perfect-looking documents that have never been used.

2. 72-hour vendor notification clause

What the SEC requires

Your service provider contracts must require vendors to notify you within 72 hours of becoming aware of a security incident involving your client data. This is not optional. The amended Reg S-P explicitly requires oversight of service providers, including contractual provisions for incident notification.

Why most firms miss it

Because nobody has reviewed their vendor contracts since the 2024 amendments were adopted. Your custodian agreement, your CRM provider, your portfolio management software, your email hosting, your cloud storage — every vendor that touches client PII needs this clause. Most firms signed these contracts years ago and have not revisited the security provisions. Some vendors will push back on the 72-hour timeline, which is exactly why you need to start these conversations now, not in May.

What happens if the SEC finds this gap

During an exam, the SEC will request your vendor management documentation and sample contracts. If they find contracts without incident notification provisions, you will receive a deficiency finding. If a vendor breach occurs and you cannot demonstrate that your contracts required timely notification, the SEC will question whether your entire vendor oversight program satisfies Rule 248.30.

How to fix it before June 3

Inventory every vendor that accesses, stores, or processes client PII. Pull each contract. Check for incident notification language. Where it is missing or insufficient, send an amendment requesting a 72-hour notification clause. Where vendors will not agree to 72 hours, negotiate the shortest timeline they will accept and document the negotiation. The SEC wants to see that you tried — not that every vendor said yes.

3. 30-day client notification procedures

What the SEC requires

Written procedures for notifying affected clients within 30 days of determining that a breach of their personal information has occurred. The procedures must specify what you will tell clients, how you will notify them, and who within your firm is responsible for executing the notification.

Why most firms miss it

Because firms confuse having an obligation to notify with having a procedure for notification. Most RIAs know they need to notify clients after a breach. Almost none have written down the actual process. Who drafts the notification letter? Who approves it? Does it go by email, mail, or both? What information must be included? Who tracks which clients were notified and when? Without documented procedures, a real breach turns into a chaotic scramble that likely blows past the 30-day window.

What happens if the SEC finds this gap

The absence of documented notification procedures is a clear compliance deficiency under the amended rule. If the gap is found during a routine exam, expect a deficiency letter. If found after an actual breach where clients were not notified within 30 days, the firm faces both the original breach consequences and an additional enforcement action for failing to have — and follow — notification procedures.

How to fix it before June 3

Write the procedures now, before you need them. Draft template notification letters for different breach scenarios (compromised email, ransomware, vendor breach). Define the roles: who determines that notification is required, who drafts the communication, who approves it, who sends it, who documents it. Set the timeline: once a breach is confirmed, what happens on day 1, day 7, day 14, day 30? Store these procedures where your team can find them under pressure.

4. Annual risk assessment (documented, not mental)

What the SEC requires

A written assessment identifying threats and vulnerabilities to client information, evaluating current controls, and documenting findings and remediation plans. This must be performed at least annually and updated when your environment changes.

Why most firms miss it

Because "we think about security all the time" feels like a risk assessment. It is not. The SEC wants a dated document that identifies specific threats to your specific environment, evaluates how your current controls address those threats, identifies gaps, and lays out a plan to close them. A mental exercise, no matter how thorough, produces no documentation. No documentation means no evidence. No evidence means a deficiency.

The other common failure: firms that did a risk assessment once — perhaps when they first registered or during an initial compliance build-out — and have not revisited it. A risk assessment from 2023 does not reflect your 2026 environment. If you have changed custodians, adopted new technology, added staff, or started working remotely since your last assessment, that assessment is stale.

What happens if the SEC finds this gap

Risk assessment deficiencies are among the most common exam findings across all SEC examination priorities. Examiners will ask for your most recent risk assessment, check the date, compare it to changes in your ADV, and determine whether it reflects your current operations. A missing or outdated risk assessment is treated as a failure to comply with the safeguards rule, which can result in a deficiency letter, a referral to enforcement, or both.

How to fix it before June 3

Conduct a risk assessment now. Inventory your systems. Identify threats relevant to your firm (phishing, ransomware, insider threats, vendor compromise). Evaluate your current controls against each threat. Rate the residual risk. Document everything with dates. Create a remediation plan for any gaps. Then put the next assessment on the calendar for Q1 2027.

5. Evidence of implementation (not just policies on paper)

What the SEC requires

The amended Reg S-P does not just require written policies. It requires that those policies be implemented. There is a difference between a policy that says "the firm will implement DMARC email authentication" and actually having a DMARC record configured on your domain. The SEC checks the latter.

Why most firms miss it

Because compliance programs in the advisory industry have historically been policy-driven. You write the policy, put it in the manual, and move on. The 2024 Reg S-P amendments shift the standard from "have a policy" to "implement the policy." That gap between what firms wrote and what firms actually did is where most deficiency findings will come from in the first year of enforcement.

Common examples of the gap:

• Policy says "implement email authentication" — but the firm's domain has no DMARC record, or DMARC is set to p=none (monitor only, not enforced).
• Policy says "train employees on cybersecurity" — but there are no training logs, no records of completion, no evidence training occurred.
• Policy says "encrypt client data in transit" — but the firm sends unencrypted emails containing Social Security numbers and account details.
• Policy says "review access controls annually" — but former employees still have active credentials to the portfolio management system.

What happens if the SEC finds this gap

This is the most damaging gap because it undermines everything else. A firm that has written policies but has not implemented them looks worse than a firm that is still building its program. It suggests the compliance program is performative — designed to look good on paper rather than actually protect client data. SEC examiners will test implementation by checking DNS records, requesting training logs, reviewing access control lists, and asking staff how they handle specific scenarios. The policies are the starting point, not the finish line.

How to fix it before June 3

Audit your own policies against your actual implementation. Take each policy statement and ask: can I prove this is happening? Run a security scan on your domain to check DMARC, SPF, and DKIM configuration. Pull your training records. Review your access control lists. Check your encryption settings. Where you find gaps between policy and practice, either implement the control or update the policy to reflect what you actually do — then build a timeline to implement what you should be doing.

The pattern behind all five

Every one of these gaps comes from the same mistake: treating compliance as a document problem instead of an operational problem. The 2024 Reg S-P amendments are the SEC telling the advisory industry that written policies are no longer sufficient. They want programs, procedures, contracts, evidence, and documentation. They want to see that your firm actually does what it claims to do.

54 days is enough time to close these gaps. It is not enough time to start from scratch and do it perfectly. Prioritize: get the incident response program written and tested, get the vendor contracts amended, document your notification procedures, run the risk assessment, and audit your implementation evidence. Done is better than perfect when the deadline is June 3.

How BlackSheep helps

BlackSheep's RIA compliance platform is built around the amended Regulation S-P requirements. It provides guided incident response program templates tailored to your firm, vendor contract review checklists with the 72-hour notification language, client notification procedure builders, automated risk assessments with dated documentation, and implementation evidence tracking — so when the SEC asks for proof, you have it.

$249 per month. No annual contracts. Built specifically for RIAs that need to close compliance gaps before the deadline, not after an exam finding.