• Link to LinkedIn
  • Link to Facebook
  • Link to X
  • Link to Youtube
  • Service: 866-692-9082
  • Customer Portal
  • Sales: 866-792-6638
  • Get A Quote Now
E-N Computers
  • Managed IT Services
    • Managed Services Plans
      • Fully Managed
      • Co-Managed
      • CMMC & Compliance
    • Support & Management
      • Help Desk Services
      • Onsite IT Services
      • Account Management
      • M365 Administration
    • Security & Compliance
      • Cybersecurity
      • IT Compliance Consulting
      • CMMC Consulting
    • Monitoring & Maintenance
      • Backups & Disaster Recovery
      • Patch Management
      • Network Monitoring & Incident Response
  • Professional IT Services
    • IT Consulting
      • CMMC Consulting
      • CMMC Gap Analysis
      • Cybersecurity
      • IT Consulting
    • On-Site & Staffing
      • Network Projects
      • Office IT Relocation
      • Security Cameras
      • IT Staff Augmentation
    • Telecommunications
      • Business VoIP Telephone Service
      • Business Internet Service
      • Electronic Fax Service
    • Emergency IT Services
  • Learning Center
    • Business-IT Strategy
    • Cybersecurity
    • IT Hiring & Staffing
    • Managed IT Services
    • Videos
    • E-Rate Resources
  • About
    • Testimonials
    • Team
    • Partners
    • Areas We Serve
    • Our Process
    • Careers
  • Pricing
    • Service Plans
    • Managed Services Pricing Calculator
    • Consulting
    • VoIP
    • Projects & Professional Services
  • Contact
  • Menu Menu
  • Managed IT Services
  • Professional Services
  • Learning Center
  • About
  • Pricing
  • Contact

Reg S-P compliance after June 3: what SEC examiners will look for

Title text: Ready for your Reg S-P exam? Prove that your policies are enforced. Background shows a man looking through hanging file boxes.

by Scott Jack
Content Contributor, E-N Computers
More than a decade of experience in technical support including end user support, mobile device management, application deployment, and documentation.

The June 3, 2026 deadline for smaller RIAs to comply with the amended Reg S-P has passed. You wrote an incident response plan, updated your policies, and have a breach notification template from counsel. 

But can you prove that your policies are “implemented and enforced”? 

The SEC’s Division of Examinations named the 2024 Reg S-P amendments a standalone priority for fiscal year 2026. In other words, examiners are actively testing firms on this rule right now. Policies are not enough; they must be followed in practice. 

QUICK ANSWER:

What will an SEC examiner check for Reg S-P compliance now that the deadline has passed?

The SEC named Reg S-P amendments a standalone 2026 examination priority. Examiners want proof that your policies are enforced. You need dated records of vendor oversight, evidence that your incident response plan has been tested, written notification commitments from vendors like your IT provider, and documentation of the reasoning behind any decision not to notify a customer. 

Table of Contents

  1. Five core requirements your examiner will look for
  2. What your IT provider should be able to hand you
  3. Look out for these red flags
  4. A warning for small broker-dealer affiliates
  5. If you’re not sure your file would hold up

Five core requirements your examiner will look for

Examiners are looking for concrete, dated proof that your policies are “implemented and enforced”, not collecting dust on a shelf. 

 

  • A written incident response program. It must cover how your firm detects, contains, and recovers from unauthorized access to customer information. Since examiners are looking for proof of implementation, they’ll want to see a record of a  tabletop scenario, the date it happened, who took part, and what changed as a result. 
  • Monitoring and logging. If you don’t have properly configured monitoring and logging tools, you won’t know about breaches that require customer notification. These tools should be looking at email and endpoints (like workstations, servers, and mobile devices) that are used for work.  
  • Service provider oversight with a 72-hour clock. Every vendor that touches customer data — especially your IT provider — needs to have committed in writing to notify your firm within 72 hours of a breach on their systems. 
  • Customer notification within 30 days. The clock on notifying customers about a breach begins when you become aware of facts that reasonably indicate a breach involving sensitive customer information has occurred. Examiners want to see proof that there’s a notification system in place. And if you become aware of facts that reasonably indicate a breach, but decide not to notify customers, you should have a record of how that decision was made, when, and by whom. 
  • Five years of recordkeeping. You need to retain documentation of your safeguards and disposal procedures for five years.  

What your IT provider should be able to hand you

Reg S-P defines a “covered service provider” as any vendor that receives, maintains, processes, or accesses customer information on behalf of a covered institution. That covers almost every managed IT provider with remote access to your systems — your email, your document storage, your client files, your devices. 

If your IT provider fits that description, an examiner will expect your vendor oversight file to include them by name, with dates, and your own documented review of that relationship at least once a year. These four documents satisfy the obligations above. 

  1. A signed 72-hour notification commitment. The clock should start when they become aware of facts that would lead a reasonable person to believe an incident occurred — not once they’ve confirmed the full scope. This is the document that satisfies service provider oversight. 
  2. A record of an annual tabletop exercise. A dated record that a test happened, with notes on who participated and what it covered. This proves that you practiced the incident response plan with them. 
  3. A summary of their written information security program.It doesn’t need to expose internal security details, but it needs to confirm the program exists, what it covers, and how it’s maintained. 
  4. A written security attestation. A letter, signed by an authorized representative, confirming their program is in place, that no undisclosed security events have occurred, and that relevant staff completed security training. 

Look out for these red flags

Some gaps are easy fixes — a missing addendum, an updated notification clause. Others mean your provider fundamentally can’t do what the rule requires. 

  • No written security policies.If they can’t produce documentation quickly, they’re scrambling to put something together. 
  • Pushback on a contract addendum. A provider that has experience working with regulated clients understands that a contract addendum obligating them to uphold certain standards, like 72-hour reporting, is reasonable even if not strictly required. 
  • Vague response times and notification timelines. If they won’t commit in writing to notifying you of a possible breach within 72 hours, that is a non-starter. If they are vague about response times, expect slowness and delays that can turn into serious problems over time. 
  • No annual review or attestation on file. A dated record either exists or it doesn’t. 
  • No visibility into your systems. A provider can’t notify you of an incident they can’t detect. Without monitoring — endpoint detection, logging, security event management — there’s no way to know something went wrong in the first place. 

Any one of these can turn into a formal deficiency finding. Deficiency letters can be referred to the SEC’s Division of Enforcement, which can mean penalties or having to return investor funds. 

What exam-ready looks like

When E-N Computers onboards an RIA client, the contract includes a formal information security addendum: it defines what counts as a security event, commits E-N Computers in writing to 72-hour notification, specifies what that notification has to include, and spells out cooperation obligations if the client faces an SEC exam. 

The written information security program behind it covers eleven domains — access controls, multi-factor authentication, encryption, endpoint security, incident detection and response, vendor and subcontractor management, personnel screening, physical security, audit logging, change management, and annual review — built on NIST 800-53, the same nationally recognized control baseline that Reg S-P uses. “This is stuff you should be doing anyway,” MacRae said.  

Within 60 days of engagement, clients get a written summary of that program — enough detail to satisfy vendor oversight obligations without exposing sensitive security specifics. Every year, and on request, they get a signed attestation letter confirming the program is in place, that no undisclosed security events have occurred, and that staff completed security training. The full package includes a tailored incident response plan, a Microsoft Secure Score report with a remediation roadmap, and a security control inventory — the same documents an examiner would ask for, already assembled. 

If you’re not sure your file would hold up

The fastest way to find a gap is to ask your provider for the four documents above and see how quickly they show up. If the answer is silence, a vague email, or a request for more time, you have your answer. 

E-N Computers works with registered investment advisors across Virginia and the Washington, DC metro area, and builds this documentation into the relationship from day one. 

Schedule a complimentary consultation with E-N Computers → 

Not sure if you need managed IT services?

Take the IT Maturity Self-Assessment

IT maturity assessment

In a few minutes, get actionable insights on your IT strategy, plus a free strategic consultation.

Take the Assessment
Contact
Search Search

Categories

  • Best of
  • Business-IT Strategy
  • Compliance
  • Cybersecurity
  • Internet, Telephone, & VoIP
  • IT Hiring
  • Managed IT Services
  • Tech Tools & Tips
  • Uncategorized

Recent Posts

  • Reg S-P compliance after June 3: what SEC examiners will look for July 14, 2026
  • CMMC Phase 2 is suspended. What Virginia defense contractors should do now. July 14, 2026
  • How to buy GCC High and what’s involved July 2, 2026
  • Signs your IT provider has gone downhill — and what to do about it June 22, 2026
  • How to evaluate your IT provider for Reg S-P compliance June 22, 2026
EN Computers logo

Industries

Accounting & CPA

Construction & Architecture

Defense Contractors

Education (K-12)

Financial Services

Government Contractors

Healthcare

Investment Advisors

Law Firms

Manufacturers

Marketing & Advertising

Nonprofit Organizations

 

 

Locations

Waynesboro, VA
Corporate HQ

215 Fifth St.
Waynesboro, VA 22980

Sales: 540-217-6261
Service: 540-885-3129
Accounting:  540-217-6260
Fax: 703-935-2665

Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366

Sales: 202-888-2770
Service: 866-692-9082

VA DCJS # 11-6604

Locations

Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801

Sales: 540-569-3465
Service: 866-692-9082

Richmond, VA
3026A W. Cary St.
Richmond, VA 23221

Sales: 804-729-8835
Service: 866-692-9082

Website by Abstrakt Marketing Group © 2026
  • Privacy Policy
  • Sitemap
  • Linkedin
  • Facebook
  • Youtube
Scroll to top Scroll to top Scroll to top