The amended SEC Regulation S-P deadline is June 3, 2026. For most small RIAs, the honest answer to "are we ready?" is somewhere between "probably not" and "I have no idea."
That uncertainty is the real problem. You cannot fix what you have not measured.
Why Self-Assessment Matters
The amended Regulation S-P is not a single requirement you either meet or do not. It spans four distinct compliance areas, each with its own set of obligations:
- Incident Response -- your written plan for detecting, containing, and recovering from security incidents
- Service Provider Oversight -- how you evaluate and monitor vendors with access to customer data
- Breach Notification -- your procedures for notifying affected customers within 30 days
- Recordkeeping -- how you document, store, and protect compliance records
Most firms are stronger in some areas than others. You might have a solid incident response plan but no vendor inventory. You might retain records for five years but lack pre-drafted notification templates. A blanket "we need to get compliant" approach wastes effort on areas where you are already prepared and misses the areas where you are exposed.
A structured self-assessment tells you exactly where the gaps are, so you can focus your time and budget where they matter most.
What the Assessment Covers
We built a free Reg S-P Compliance Readiness Checker that evaluates your firm across all four compliance areas. It takes about three minutes and requires no signup or personal information.
The assessment asks 15 questions across the four categories. For each question, you indicate whether your firm fully addresses the requirement (Yes), partially addresses it (Partially), or does not address it at all (No).
Here is what each category evaluates:
Incident Response (4 questions)
Whether you have a written plan, whether it covers detection procedures, whether you have tested it recently, and whether roles and responsibilities are clearly assigned. This is the area where the SEC has been most explicit about what they expect.
Service Provider Oversight (4 questions)
Whether you maintain a vendor inventory, whether contracts include breach notification requirements, whether you conduct periodic security reviews, and whether you have assessed data sensitivity by vendor. This is typically the weakest area for small firms because it requires ongoing effort, not just a one-time document.
Breach Notification (4 questions)
Whether you have documented 30-day notification procedures, pre-drafted templates, a customer scoping process, and awareness of state-level obligations. This area catches firms off guard because the 30-day clock starts ticking the moment you become aware of a breach, leaving no time to build processes from scratch.
Recordkeeping (3 questions)
Whether you maintain a structured incident log, meet the 5-year retention requirement, and have access controls on compliance records. This is often the easiest area to address but also the easiest to overlook.
How Scoring Works
Each question awards full points for "Yes," half points for "Partially," and zero points for "No." Your overall score is a percentage across all 15 questions.
Categories are rated individually:
- 80-100%: Strong. Your firm has solid coverage in this area. Verify with counsel and maintain what you have.
- 50-79%: Needs Work. You have a foundation but meaningful gaps remain. Prioritize filling them before the deadline.
- 0-49%: At Risk. This area represents significant compliance exposure. Address it immediately.
The assessment also identifies each specific gap and explains the risk it creates. This makes it straightforward to build a remediation plan.
What to Do With Your Results
Your results are a roadmap, not a verdict. Here is how to use them:
If you scored above 80% overall: You are in good shape. Review your policies with legal counsel, ensure your team is trained on them, and run a tabletop exercise if you have not already. Compliance is about implementation, not just documentation.
If you scored 50-79% overall: You have work to do, but it is manageable before June 2026. Focus on the specific gaps the assessment identified. In most cases, the fixes are straightforward: draft a missing procedure, create a vendor inventory, prepare notification templates.
If you scored below 50% overall: Treat this as urgent. You have significant gaps across multiple compliance areas. The good news is that the required documents can be generated quickly with the right tools. RegShield produces all four required policy documents, customized to your firm, in about 15 minutes.
Take the Assessment
The Reg S-P Compliance Readiness Checker is completely free. No signup, no email required, no data stored. It runs entirely in your browser.
Three minutes now could save you from a compliance failure later. The deadline is not moving, but your readiness can.
Frequently Asked Questions
Rees Calder
Rees is the founder of RegShield and CEO of Levity Leads Ltd. He works with small registered investment advisers to simplify SEC compliance, with a focus on making Regulation S-P requirements accessible and actionable for firms that lack dedicated compliance departments.