SEC Regulation S-P Compliance Checklist for Small Investment Advisers

Reg S-P is now in force for all SEC-registered advisers and is a named SEC FY2026 examination priority. This checklist covers the five required program elements so you can assess where you stand before an examiner does.

---

Why a Checklist Matters Here

Most compliance obligations are described in rules, not in actionable lists. That gap creates the most common Reg S-P problem for small firms: advisers who believe they are compliant because they have thought about cybersecurity, without having built and documented a program.

The SEC's examination division has been explicit. Examiners look for written policies. They ask for documentation. An undocumented program -- however thoughtful -- fails the first test.

This checklist organizes the five required elements of a Reg S-P compliance program into verifiable steps. Work through it, document each item, and you have the foundation of an exam-ready program.

Use it alongside your annual Rule 206(4)-7 compliance review, which is the natural home for Reg S-P in your compliance calendar. If you need background on how the two fit together, read the Reg S-P and annual Rule 206(4)-7 review guide first.

---

The Five Required Elements

The SEC's amended Reg S-P (adopted 2023, in effect 2025-2026) requires every registered investment adviser to maintain a written program covering five areas. Each section below translates the rule into checkable steps.

---

Element 1: Incident Response Program

Your incident response program documents how your firm detects, contains, investigates, and notifies clients of unauthorized access to their information. The SEC requires this to be written and reasonably designed for your firm's size and operations.

Checklist

• [ ] Written policy exists. Your incident response plan is a document, not a mental model. It names who is responsible for each step and what the steps are.
• [ ] Triggering events defined. The policy defines what counts as a "covered" incident (any reasonably likely unauthorized access to customer information, not just confirmed breaches).
• [ ] Containment procedures documented. The policy includes steps to stop further access or exfiltration once an incident is detected.
• [ ] Investigation process documented. The policy covers how you assess scope and determine what customer information was accessed.
• [ ] 30-day notification requirement addressed. The policy acknowledges the requirement to notify affected customers within 30 days of determining an incident occurred, subject to law enforcement delay provisions.
• [ ] Notification template drafted. You have a written template for customer breach notifications so you are not drafting from scratch under pressure.
• [ ] Annual tabletop exercise scheduled. You review the plan at least once a year and walk through a hypothetical scenario to test your readiness.

For a detailed breakdown of the breach notification requirements, see the Reg S-P breach notification requirements guide.

---

Element 2: Service Provider Oversight Program

The amended rule added an explicit service provider oversight requirement. If any third party receives, maintains, processes, or transmits customer information on your behalf, you need a documented oversight program covering them.

Checklist

• [ ] Service provider inventory completed. You have a written list of every vendor that touches client data: custodians, portfolio management software, CRM, email provider, document storage, payroll processor.
• [ ] Due diligence documented for each provider. For each vendor, you have recorded what due diligence you performed before onboarding (review of their security practices, SOC 2 reports, privacy policy, or equivalent).
• [ ] Contractual requirements in place. Your agreements with data-handling vendors include provisions requiring them to notify you of security incidents and maintain appropriate safeguards. Many vendor agreements include these by default; confirm they are present.
• [ ] Ongoing monitoring process defined. Your policy describes how you monitor service providers going forward (annual review of their security documentation, response to incident notifications).
• [ ] Termination procedures documented. Your policy addresses how customer data is returned or destroyed when you end a vendor relationship.

For a comprehensive treatment of the vendor management requirements, see the Reg S-P vendor management guide.

---

Element 3: Information Safeguards and Technical Controls

The safeguards rule, which predates the 2023 amendments, requires technical controls protecting customer records and information. The amendments strengthen this by connecting it explicitly to your incident response and vendor programs.

Checklist

• [ ] Data inventory completed. You know what customer information you hold, where it is stored (local, cloud, custodian systems), and who has access.
• [ ] Encryption in use. Customer information stored digitally is encrypted at rest and in transit. Most cloud platforms handle this by default; confirm it is active for your configuration.
• [ ] Multi-factor authentication enabled. MFA is active on email, portfolio management systems, CRM, and any other platform holding customer information.
• [ ] Patch management process documented. Your policy describes how you handle software and operating system updates for firm devices.
• [ ] Device security addressed. Your policy covers what happens if a firm device is lost or stolen (remote wipe capability, encryption).
• [ ] Email security configured. Your email service has spam filtering, phishing protection, and, ideally, domain-based message authentication (DMARC/DKIM/SPF) configured.
• [ ] Physical security considered. If you maintain paper records with customer information, your policy describes physical access controls and disposal procedures.

The Reg S-P cybersecurity controls guide covers the technical requirements in detail.

---

Element 4: Access Controls

Access controls limit who inside and outside your firm can view or modify customer information. For a solo practitioner, this section is straightforward but still requires documentation.

Checklist

• [ ] Role-based access documented. Your policy states who has access to what, and why. For a solo RIA, this might be a one-sentence statement that only you have access to client records, plus specific grants for your compliance consultant or IT provider.
• [ ] Third-party access reviewed annually. Any person or system with standing access to customer data is reviewed at least annually and access is revoked when no longer needed.
• [ ] Password policy documented. Your policy requires strong, unique passwords for systems holding customer data, and prohibits password sharing.
• [ ] Privileged access limited. Administrative access to key systems is limited to the minimum number of people necessary.
• [ ] Offboarding process documented. Your policy describes how access is revoked when an employee or contractor leaves.

---

Element 5: Recordkeeping

Compliance without documentation is not compliance. Reg S-P and Rule 204-2 together require you to maintain records demonstrating your program exists, is reviewed, and is followed.

Checklist

• [ ] Policies and procedures filed. Your written Reg S-P policies are stored in your compliance files and accessible for examination.
• [ ] Incident log maintained. You keep a record of any potential security incidents, their disposition (confirmed incident vs. false alarm), and any notifications sent.
• [ ] Vendor due diligence records filed. Documentation of your service provider reviews is stored and accessible.
• [ ] Annual review documented. Each annual Rule 206(4)-7 compliance review includes a section specifically addressing Reg S-P, with a notation of any changes to your program and the date of the review.
• [ ] Training records maintained. If you have employees who handle customer information, you document any training provided on security practices.
• [ ] Breach notification records retained. Any breach notification letters sent to customers are retained in your files.

---

Pulling It Together: What to Build

Working through the five checklists above surfaces the documentation gaps in your current program. Most small firms that run this exercise find they have some of the substance already (good password hygiene, encrypted storage, reputable custodians) but are missing the written policies that translate that substance into a compliant program.

The four core documents every small RIA needs to produce are:

1. Incident Response Program -- your written policy covering detection through notification
2. Service Provider Oversight Policy -- your vendor inventory, due diligence records, and ongoing monitoring process
3. Breach Notification Templates -- pre-drafted customer and regulatory notification letters
4. Recordkeeping Procedures -- how your compliance files are organized and maintained

For a full breakdown of these four documents, see the four documents every RIA needs for Reg S-P.

---

Exam Readiness: What Happens If You Are Selected

Being selected for an SEC examination is not a crisis. It is a test of documentation. Examiners from OCIE (the Office of Compliance Inspections and Examinations) will typically send a document request list that includes your Reg S-P policies and related records.

The examiners are not looking for a perfect program. They are looking for evidence that you have thought systematically about the requirements, built a program appropriate for your firm's size, and reviewed it at least annually.

Firms that can produce organized documentation on short notice fare significantly better than firms that scramble to reconstruct their program after the request arrives. The difference between a brief deficiency letter and a more serious examination outcome often comes down to how prepared you are to respond.

For a detailed walkthrough of how a Reg S-P examination unfolds, including the full document request list and the five most common deficiencies, see the SEC examination readiness guide.

---

Building Your Program

If you have worked through the checklists and identified gaps, you have two paths:

Build from scratch. Use the checklists above as your outline. Draft each policy section, work through the vendor inventory, and build your documentation filing structure. Expect to invest several hours, plus additional time reviewing your vendor agreements.

Use a structured tool. RegShield generates all four required Reg S-P documents for your firm in about 15 minutes. You answer questions about your firm, your vendors, and your data practices. The tool produces ready-to-file policies customized to your answers. Get your compliance documents for $299 at regshield.co/start.

Either path produces a compliant program. The difference is time and error risk. Purpose-built tools reduce the chance that a DIY policy misses a required element.

---

The SEC has made Reg S-P an FY2026 examination priority. Small firms are not exempt from examination. Run the checklists now, identify your gaps, and build your program before an examiner asks for it.