You submitted your Form ADV. Your registration is effective. Your first client account is open.
You are now subject to Regulation S-P in full, with no grace period and no reduced requirements for small or newly registered firms.
The SEC's Division of Examinations has made newly registered investment advisers a consistent examination priority. First examinations typically arrive within the first 12 months of registration. The examiners who show up are not doing an orientation visit. They arrive with a document request list, and Reg S-P items are on every version of it.
This article covers what a newly registered RIA needs to build, in what order, and before what deadline.
Why Newly Registered RIAs Face Elevated Reg S-P Risk
The amended Regulation S-P, effective for smaller investment advisers as of June 3, 2026, applies equally to every SEC-registered firm regardless of size, client count, or years in operation. There is no phase-in for new registrants.
The elevated risk for newly registered firms comes from two directions.
First, the SEC examination program actively targets new registrants. The Division of Examinations uses first-year examinations partly as an educational tool and partly as an enforcement gate. Firms that have not built their compliance infrastructure are identified early and flagged for closer scrutiny in subsequent years.
Second, newly registered RIAs are more likely to have compliance gaps at first examination simply because they have been operating for a short time. A solo adviser who focused on building an initial client book in the first six months of registration may have deferred the written policy work that Reg S-P requires. That deferral is visible to examiners as a deficiency.
The combination -- targeted early examination plus likely policy gaps -- makes Reg S-P the single most consequential compliance area for a newly registered firm in its first year.
The Four Reg S-P Documents You Need Before Your First Examination
Under the amended rule, every SEC-registered investment adviser must maintain four categories of written policies and procedures. These four documents are the core of a compliant Reg S-P program:
1. Incident Response Program
A written program describing how the firm will detect, contain, evaluate, and recover from a data breach or unauthorized access to customer information. The program must cover: how the firm identifies covered data and systems, the personnel responsible for responding, escalation procedures, containment steps, and how the firm determines whether customer notification is required.
The 30-day notification clock under Reg S-P starts when the firm determines that unauthorized access has "occurred or is reasonably likely to have occurred." A firm without a written incident response program cannot demonstrate that it has established procedures to make that determination promptly.
2. Service Provider Oversight Policy
A written policy governing the firm's selection, oversight, and contractual management of service providers with access to customer information. This covers your custodian, portfolio management software, CRM, cloud storage provider, email platform, and IT support vendors.
The policy must address initial due diligence, contractual security requirements (including breach notification obligations on the vendor side), ongoing monitoring, and procedures for the termination of vendor relationships. Examiners specifically ask whether vendor contracts include the required Reg S-P notification clauses.
3. Breach Notification Templates
Pre-drafted customer notification letters ready to send within the 30-day clock. The amended rule prescribes minimum content: what information was involved, what the firm has done to contain the breach, what steps the customer can take to protect themselves, and contact information for follow-up.
Having templates ready before a breach occurs is both a regulatory requirement and practical risk management. Drafting notification language under the pressure of an active incident, while also managing remediation, is a documented source of notification failures and 30-day clock violations.
4. Recordkeeping Procedures
Written procedures covering how customer information is stored, who has access to it, how access is logged, and how records are disposed of securely at end of life. The recordkeeping requirements under Reg S-P intersect with the existing books-and-records rules under the Advisers Act, so newly registered firms should ensure their Reg S-P recordkeeping procedures align with their Form ADV Part 2 disclosures about data handling.
A 90-Day Compliance Sequence for New Registrants
The practical challenge for a newly registered RIA is sequencing compliance work alongside building a client base. Here is how to structure the first 90 days.
Days 1-30: Inventory and Documentation
Before writing a single policy, map what you have. For a newly registered solo RIA or small firm, this is straightforward:
- List every system that touches client information: custodian portal, portfolio software, CRM, cloud storage, email, video conferencing platforms used for client meetings
- Identify every employee, contractor, or service provider who can access client data
- Document where client data is stored: which systems, which cloud providers, which physical locations if any
- Review your Form ADV Part 2 privacy notice to confirm it reflects your actual data practices
This inventory becomes the factual foundation for all four required documents. A policy that does not reference your actual systems and personnel is the definition of a generic policy -- and generic policies are a deficiency finding.
Days 30-60: Build the Four Documents
With the inventory in hand, draft or procure the four required Reg S-P documents. Each document should name:
- Your specific custodian and portfolio management systems
- Your designated privacy officer or the role responsible for incident response
- Your actual vendor roster, with a risk tier for each based on the sensitivity of the data they access
- Your specific notification procedures, including how customer contact information is maintained and how notifications are transmitted
The Reg S-P compliance checklist for small investment advisers provides a line-by-line reference for each required element across all five program areas.
Days 60-90: Vendor Contracts and Testing
Review your existing service provider contracts against the Reg S-P contractual requirements. Specifically look for:
- Breach notification obligations running from the vendor to your firm
- Security safeguard requirements appropriate to the sensitivity of the data
- Your right to audit or request security assessments
- Data destruction provisions on termination
Contracts that predate your registration (for example, a custodian agreement signed before your ADV went effective) should be reviewed and flagged for amendment at the next renewal opportunity. Document the review.
Before the 90-day mark, conduct a tabletop walk-through of your incident response procedures. Run through a hypothetical: an unauthorized login to the custodian portal is detected at 9am on a Monday. Who does what, in what order? What constitutes "reasonably likely unauthorized access"? What triggers the 30-day notification clock? Walk through the answer with anyone who has a role in the response.
What the First Examination Will Specifically Ask About Reg S-P
The SEC's examination process for Reg S-P follows a documented pattern. For newly registered firms, expect:
Document request on day one. Before examiners arrive on-site (or before a remote examination begins), you will receive a document request list. Reg S-P items typically include: all written policies and procedures related to information security and privacy, service provider contracts, records of any security incidents or breaches in the past 24 months, and documentation of any policy reviews or updates.
Firm-specificity test. Examiners compare the names in your written policies against the actual vendors in your agreements. If your incident response program refers to a generic "portfolio management system" but your service provider contracts list Charles Schwab as custodian and Orion as your portfolio platform, that disconnect is a finding.
Gaps in contractual requirements. Missing breach notification clauses in vendor contracts are among the most frequently cited Reg S-P deficiencies for small RIAs. Examiners pull contracts and check for the specific required language. If it is absent, it is a deficiency regardless of whether any breach has occurred.
Absence of any tabletop or policy review documentation. For firms registered for more than 12 months, examiners expect evidence that the Reg S-P policies have been reviewed. For newly registered firms in their first year, this expectation is lower but not zero. Document every policy review, even informal ones.
The Annual Rule 206(4)-7 Review: Where Reg S-P Lives Going Forward
Once you have built the initial Reg S-P program, the ongoing obligation is to maintain and review it. The vehicle for that review is the annual compliance review required under Rule 206(4)-7.
The annual Rule 206(4)-7 compliance review is the mechanism through which your Reg S-P policies remain current. As your vendor roster changes, as you add employees, as your technology stack evolves, the policies must be updated to reflect actual firm operations. A policy built in year one and never reviewed is a deficiency waiting to be found.
For newly registered firms, the first annual review should occur within 12 months of the date your Reg S-P policies were adopted. Document the review, document what was updated, and retain that documentation.
The Most Common Reg S-P Mistakes Newly Registered RIAs Make
Starting with a generic compliance manual. Many newly registered RIAs receive a compliance manual from their compliance consultant that contains Reg S-P language as a template. That template is a starting point, not a finished product. Firms that submit it without customization consistently receive deficiency letters on their first examination.
Omitting breach notification templates. The notification template requirement is frequently overlooked. Firms build incident response plans and oversight policies but neglect to draft the actual customer-facing notification letters. Examiners look for them specifically.
Failing to update vendor contracts. Reg S-P's contractual requirements for service providers apply to all existing contracts, not just new ones. Firms that register and assume their pre-existing custodian agreement is compliant without reviewing it for the required clauses are exposed.
Not designating a privacy officer. The amended rule expects a designated individual (or role) responsible for the firm's information security program. For solo advisers, that is typically the owner. The designation should appear in the written policies by name or title.
Waiting for a breach to test the incident response plan. The first time you run through your incident response procedures should not be during an actual incident. A 30-day notification clock that starts running before the firm has established who does what is the fastest path to a regulatory problem.
Frequently Asked Questions
Get Your Reg S-P Documents in 15 Minutes
RegShield generates all four required Reg S-P documents -- Incident Response Program, Service Provider Oversight Policy, Breach Notification Templates, and Recordkeeping Procedures -- customized to your specific firm.
Answer a short intake questionnaire about your custodian, technology vendors, personnel, and data practices. RegShield produces examination-ready PDFs in about 15 minutes, for a one-time fee of $299.
For a newly registered RIA facing its first SEC examination, getting these documents in place now is the highest-return compliance investment you can make.
Frequently Asked Questions
Rees Calder
Rees is the founder of RegShield and CEO of Levity Leads Ltd. He works with small registered investment advisers to simplify SEC compliance, with a focus on making Regulation S-P requirements accessible and actionable for firms that lack dedicated compliance departments.