The Complete Reg S-P Compliance Checklist for RIAs (15 Items for 2026)

We have covered the five requirements most RIAs are missing and the full regulatory breakdown of Reg S-P for investment advisers. This post is the comprehensive checklist — 15 items across five categories. Bookmark it, work through it, and use the scoring at the bottom to see where you stand before June 3.

Written Program (Items 1-4)

The foundation of Reg S-P compliance is documentation. Examiners start here. If you cannot produce written programs, the conversation about your technical controls never happens.

1. Written Information Security Program (WISP)

What the SEC requires:Rule 248.30(a) requires written policies and procedures "reasonably designed" to safeguard customer records and information, addressing administrative, technical, and physical safeguards. The amended rule makes explicit that these must be tailored to your firm's size, complexity, and the nature of your activities.

What "done" looks like: A written document specific to your firm that covers how you handle customer data, who is responsible for security, what controls you use, how you train employees, and how you respond to incidents. It names the systems you use, the data you hold, and the safeguards in place. It has a version date and a review schedule.

Common shortcuts that fail exams:Using a generic template downloaded from the internet with your firm name pasted in. Examiners ask specific follow-up questions — "Which systems does this cover? Who reviewed it? When was it last updated?" If your WISP says you use a firewall but you cannot name the product, that is a problem. Learn more about what a WISP actually needs to include.

2. Documented Risk Assessment

What the SEC requires:The amended Reg S-P rule under Rule 248.30(a)(2) requires firms to "identify and assess risks" to customer information. The assessment must be written, conducted at least annually, and must identify threats, vulnerabilities, and the adequacy of current controls.

What "done" looks like: A dated document that lists every system handling customer information, identifies specific threats (phishing, ransomware, unauthorized access, lost devices), evaluates current controls against those threats, rates the risk level, and has a remediation plan for anything rated high. It was completed within the last 12 months.

Common shortcuts that fail exams:Treating a vendor questionnaire as a risk assessment. Having your IT provider say "everything looks good" without a written deliverable. A risk assessment that only covers your custodian and ignores your CRM, email, and file storage.

3. Incident Response Program

What the SEC requires: Rule 248.30(a)(3) of the amended rule explicitly requires written incident response policies and procedures designed to detect, respond to, and recover from unauthorized access to or use of customer information. This is new — the original rule did not require a standalone incident response program.

What "done" looks like: A written plan that covers detection (how you identify an incident), assessment (how you determine severity and scope), containment (how you stop it from spreading), notification (who you tell and when — including the 72-hour window for customer notification under the amended rule), and recovery (how you restore operations). It names specific people responsible for each phase.

Common shortcuts that fail exams:A one-page document that says "call IT." An incident response plan that does not include notification procedures. A plan that has never been tested (see Item 14).

4. Business Continuity / Disaster Recovery Plan

What the SEC requires:While business continuity is addressed more broadly under Rule 206(4)-7 (compliance programs), the amended Reg S-P's requirement for "recovery" procedures under the incident response provision means your ability to restore access to customer information after an incident is now directly in scope.

What "done" looks like: A documented plan that identifies critical systems, defines recovery time objectives (how quickly you need to restore service) and recovery point objectives (how much data loss is acceptable), describes your backup strategy, and has been tested — meaning you actually restored from backup at least once in the past year and documented the result.

Common shortcuts that fail exams: Assuming your cloud provider handles disaster recovery. Having backups that have never been tested. A plan that references systems you no longer use.

Technical Controls (Items 5-8)

Written programs describe what you intend to do. Technical controls prove you actually did it. These are verifiable — examiners can check them in minutes using the same tools anyone can run against your domain. So can BlackSheep's free compliance scan.

5. Email Authentication (DMARC, SPF, DKIM)

What the SEC requires:The safeguards rule under 248.30(a) requires "technical safeguards" reasonably designed to protect customer information. Email is the primary attack vector for investment advisers — phishing, business email compromise, and spoofing all exploit weak email authentication. Properly configured DMARC, SPF, and DKIM are baseline technical safeguards.

What "done" looks like: SPF record published and limited to authorized senders. DKIM signing enabled for outbound email. DMARC policy set to p=quarantine or p=reject — not p=none. p=none is monitoring mode. It does not protect anyone. Examiners and auditors increasingly recognize this distinction.

Common shortcuts that fail exams: Having SPF but no DMARC. Having DMARC at p=noneand calling it done. Relying on your email provider's defaults without verifying what is actually published in DNS. Run a scan to check yours in 30 seconds.

6. Multi-Factor Authentication

What the SEC requires:MFA is not named explicitly in Reg S-P, but the SEC's 2025 exam priorities and multiple risk alerts specifically call out MFA as a baseline control examiners evaluate. The adopting release for the amended rule references MFA as an example of a reasonable technical safeguard.

What "done" looks like: MFA enabled on every system that handles customer information — email, CRM, portfolio management, custodian portals, cloud storage, and remote access. App-based or hardware token MFA, not SMS-only (SIM swapping makes SMS MFA unreliable for financial services).

Common shortcuts that fail exams: MFA on email but not on your CRM or cloud storage. SMS-only MFA with no option for app-based authentication. Exemptions for senior partners who find it inconvenient.

7. Encryption at Rest and in Transit

What the SEC requires: Encryption falls under the technical safeguards provision of Rule 248.30(a). The SEC has cited encryption failures in multiple enforcement actions. At rest means data stored on laptops, servers, and cloud services is encrypted. In transit means data moving between systems uses HTTPS, TLS, or equivalent protocols.

What "done" looks like:Full-disk encryption on all laptops and workstations (BitLocker, FileVault). Cloud storage encrypted at rest (most major providers do this by default, but verify). All client-facing web pages served over HTTPS with a valid TLS certificate. Email sent over TLS (check your provider's settings — opportunistic TLS is not the same as enforced TLS).

Common shortcuts that fail exams: Encrypted laptops but unencrypted USB drives that staff use for file transfers. HTTPS on your website but not on your client portal. Assuming your email is encrypted without checking.

8. Security Headers

What the SEC requires: Security headers fall under the technical safeguards umbrella. HSTS, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options protect client-facing web applications from clickjacking, cross-site scripting, and man-in-the-middle downgrades. Examiners may not check these individually, but automated scanning tools (which examiners increasingly use) flag missing headers.

What "done" looks like: HSTS header with max-age of at least one year, including subdomains. Content-Security-Policy that restricts script sources. X-Frame-Options set to DENY or SAMEORIGIN. X-Content-Type-Options set to nosniff. These are configured on every domain and subdomain that clients access.

Common shortcuts that fail exams:Security headers on your main site but not on your client portal or subdomain. Relying on your web host's defaults. Having an HSTS header with a 30-day max-age (too short to be meaningful).

Vendor & Third-Party (Items 9-11)

The amended Reg S-P rule significantly expanded vendor oversight requirements. This is the area where the most RIAs are behind — the provisions are new, and updating service provider contracts takes time.

9. Vendor Oversight Program

What the SEC requires:Rule 248.30(b) requires written policies and procedures for the "oversight of service providers," including taking steps to "select and retain service providers that are capable of maintaining appropriate safeguards." This means you need a documented process for evaluating vendor security before you hire them and while you retain them.

What "done" looks like:A written vendor management policy that describes how you evaluate service providers' security posture before onboarding (questionnaires, SOC 2 reports, security certifications) and how you monitor them ongoing. A list of all service providers that access customer information. Documentation of your most recent evaluation for each.

Common shortcuts that fail exams:Having no list of service providers. Relying on a vendor's marketing claims instead of documented due diligence. Evaluating vendors at onboarding but never again.

10. 72-Hour Breach Notification Clauses

What the SEC requires:Rule 248.30(b)(3) of the amended rule requires service provider contracts to include provisions that obligate the service provider to notify the investment adviser "as soon as possible, but no later than 72 hours" after becoming aware of a breach or security incident involving customer information. This is a hard deadline in the rule text.

What "done" looks like: Every service provider contract — MSP, cloud, CRM, custodian, email, backup, phone system — includes a clause requiring written notification within 72 hours of a suspected or confirmed breach involving your customer data. New contracts include this language by default. Existing contracts have been amended.

Common shortcuts that fail exams: Adding the clause to new contracts but not updating existing ones. Having the clause in your MSP agreement but not in your CRM or cloud storage contracts. Verbal agreements without written documentation.

11. Annual Vendor Risk Review

What the SEC requires:The ongoing oversight provision under Rule 248.30(b) requires that you "periodically assess" whether your service providers maintain appropriate safeguards. Combined with the annual risk assessment requirement, this means a documented annual review of each service provider's security measures.

What "done" looks like: A dated record for each service provider showing what you reviewed (SOC 2 report, security questionnaire responses, incident history), what you found, and whether you are continuing the relationship. Updated annually. If a vendor cannot produce a SOC 2 or equivalent, you documented that gap and your rationale for continuing to use them.

Common shortcuts that fail exams: Reviewing your custodian but ignoring your CRM, email marketing platform, and cloud storage. Requesting a SOC 2 report and filing it without reading it. Not documenting the review even if you did conduct one.

People & Process (Items 12-14)

Controls only work if people follow them. The SEC expects evidence that your team knows the rules and that you verify they follow them.

12. Employee Cybersecurity Training

What the SEC requires:Administrative safeguards under Rule 248.30(a) include training employees to implement your information security program. The amended rule's emphasis on written policies and procedures implicitly requires that the people responsible for following those procedures actually know what they say.

What "done" looks like:Annual cybersecurity training for all employees who handle or access customer information. Documented with attendance records, completion dates, and the topics covered. Training covers phishing recognition, password hygiene, incident reporting procedures, and your firm's specific policies. New hires trained within 30 days of start date.

Common shortcuts that fail exams:Sending a link to a generic security awareness video with no tracking. Training that does not cover your firm's specific policies and procedures. Training records that cannot show who completed it and when.

13. Access Control Reviews

What the SEC requires: Technical safeguards include restricting access to customer information to authorized personnel. This is not a set-and-forget control — access changes as employees join, leave, or change roles. Regular reviews catch access that should have been revoked.

What "done" looks like:Quarterly review of user access across all systems handling customer information. Documented list of who has access to what, with justification. Prompt revocation of access for departing employees (same day, not "when IT gets to it"). Evidence of changes made as a result of each review.

Common shortcuts that fail exams: Former employees still having active accounts. Access reviews that exist on paper but no evidence of changes made as a result. Giving all employees admin access because it is easier than managing permissions.

14. Incident Response Testing

What the SEC requires:The amended rule's incident response provision requires procedures "designed to" detect, respond to, and recover from incidents. The SEC has stated in guidance that untested procedures cannot be reasonably designed to work. This is the logical extension — if you have a plan but have never tested it, you do not know if it works.

What "done" looks like: At least one annual tabletop exercise or simulation where your team walks through a realistic scenario (ransomware attack, business email compromise, vendor data breach). Documented results including what worked, what did not, and what changes you made to the plan afterward. Attendee list and date on file.

Common shortcuts that fail exams:Having an incident response plan but never testing it. A "tabletop" that consisted of a partner reading the plan and saying "looks good." Testing that did not include the people who would actually execute the plan during a real incident.

Governance (Item 15)

The amended rule makes governance explicit. Someone in leadership must own the cybersecurity program and demonstrate they review it.

15. Board/Principal Oversight Evidence

What the SEC requires:The amended Reg S-P rule requires that the firm's information security program be "approved by a designated senior officer." This person must oversee the program and be accountable for its implementation. The SEC expects evidence that leadership is engaged — not just named on a document.

What "done" looks like: A named individual (CCO, managing partner, or designated security officer) who is responsible for the information security program. Meeting minutes or written memos showing leadership reviewed the cybersecurity program at least annually — including risk assessment results, incident reports, vendor review findings, and any material changes. Annual sign-off on the WISP and incident response plan. If your firm has a board, board-level discussion documented in meeting minutes.

Common shortcuts that fail exams: Naming a responsible person but having no evidence they actually review anything. Delegating everything to an external IT provider with no internal oversight. Annual compliance reviews that cover trading and advertising but skip cybersecurity entirely.

Score yourself

Count the items where you can produce documentation right now — not "we do that but never wrote it down," but actual evidence you could hand to an SEC examiner this week.

What to do next

Start with a free compliance scan to check Items 5, 7, and 8 right now — email authentication, encryption in transit, and security headers. That takes 30 seconds and tells you exactly where your technical controls stand.

For the written program items, the vendor contract updates, and the governance documentation, BlackSheep's Reg S-P compliance module gives you templates tailored to your firm, tracks completion for every item on this list, and produces the evidence package an examiner expects to see.

June 3 is not a suggestion. It is the compliance deadline. Know where you stand.