Does Reg S-P apply to solo RIAs with no employees?

Yes. Every SEC-registered investment adviser must comply with Reg S-P, regardless of firm size. The SEC has stated that the amended rule applies to all registered advisers, though the 'reasonableness' standard means your obligations scale to the size and complexity of your practice.

When is the Reg S-P compliance deadline for small firms?

The amended Reg S-P rule was adopted in July 2023 and became effective June 3, 2025. Small entities received an extended compliance timeline, with full compliance expected by approximately December 2026. Check the SEC's final rule release for your specific firm classification.

How much does Reg S-P compliance cost for a solo RIA?

Costs vary widely. A compliance consultant typically charges $5,000 to $15,000 for a small firm engagement. DIY compliance costs your time plus roughly $500 to $1,000 in software subscriptions. Purpose-built toolkits like RegShield offer a middle path at $299 with pre-built templates and guidance.

Do I need to hire a cybersecurity consultant to comply with Reg S-P?

No. The SEC explicitly designed the amended rule to scale with firm size. A solo practitioner is not expected to build the same program as a 500-person firm. With the right templates, a solid understanding of the requirements, and a few hours of focused work, most solo RIAs can build a compliant program themselves.

What happens if a solo RIA fails a Reg S-P examination?

The SEC typically issues a deficiency letter on a first examination finding, giving you time to remediate. Repeat violations, willful non-compliance, or failures that result in client data breaches can lead to enforcement actions, fines, and reputational damage. Having a documented program, even an imperfect one, is far better than having nothing.

Reg S-P Compliance for Solo RIAs: The One-Person Firm's Complete Guide

You're a one-person firm. You manage client portfolios, handle onboarding, answer the phones, and somehow keep up with continuing education. Now the SEC wants you to build a cybersecurity program.

It sounds absurd. You're a financial adviser, not a CISO.

But here's the thing: roughly 15,000 SEC-registered RIAs are solo practitioners, and the SEC knows it. The amended Reg S-P requirements weren't written for Goldman Sachs alone. They were written with you in mind too, and the compliance bar is lower than you probably think.

This guide breaks down exactly what Reg S-P compliance looks like for a solo RIA. No consultant jargon, no $10,000 invoices, just the practical steps to protect your clients' data and satisfy the SEC.

What Reg S-P Actually Requires from You

The SEC adopted amended Regulation S-P in July 2023, with the rule becoming effective June 3, 2025. Small entities received an extended compliance timeline pushing full compliance to approximately December 2026.

The core requirement is straightforward: you must adopt written policies and procedures to protect customer records and information. Specifically, the amendments require:

Written information security policies and procedures
An incident response program for unauthorized access to customer information
Oversight of service providers that handle customer data
Documentation that you can produce during an examination

That's the framework. Four pillars. Let's walk through each one as it applies to your one-person firm.

Pillar 1: Your Written Information Security Policy (WISP)

A WISP is the foundation of your compliance program. Think of it as a written record of how you protect client data. Not a wish list. A description of what you actually do.

For a solo RIA, your WISP needs to cover:

What data you collect and where it lives. Client names, Social Security numbers, account numbers, financial information. List the systems where this data resides: your CRM, portfolio management software, email, custodian portals, and any local files.

How you protect that data. This means your specific security controls. Encryption on your laptop. Multi-factor authentication on client-facing accounts. How you dispose of old records. Your password policy.

Who has access. For a solo firm, this section is mercifully short. It's you. But document it anyway, and include any virtual assistants, contract CPAs, or other third parties who might touch client information.

How you review and update the policy. The SEC expects your WISP to be a living document. Set a calendar reminder to review it annually. Note the review date each time, even if nothing changes.

Your WISP doesn't need to be 50 pages. For a solo practice, 8 to 15 pages typically covers everything. The SEC cares that it's specific to your firm, not copied from a generic template with your name pasted on top. For a deeper look at the documentation requirements, see our guide to the four documents every RIA needs.

Pillar 2: Access Controls and Authentication

This is where Reg S-P compliance for solo RIA firms gets practical. You need to demonstrate that you've implemented "reasonable" safeguards. For a solo practitioner, that means:

Multi-Factor Authentication (MFA)

Enable MFA on everything that touches client data. Your custodian portal, CRM, email, portfolio management software, and cloud storage. Every one of them. This is non-negotiable and the single highest-impact security step you can take.

Most of these platforms already offer MFA. Use an authenticator app (Microsoft Authenticator or Google Authenticator, both free) rather than SMS codes, which are vulnerable to SIM-swapping.

Password Management

Use a password manager. 1Password ($36/year for individual) or Bitwarden ($10/year) will generate and store unique, complex passwords for every account. Stop reusing passwords across services. The SEC doesn't require a specific password manager, but they do expect you to have a documented approach to credential management.

Device Security

Three things to confirm today:

Full-disk encryption is enabled on your laptop (FileVault on Mac, BitLocker on Windows). Both are built into the operating system at no extra cost.
Automatic screen lock activates after 5 minutes of inactivity.
Remote wipe capability is configured in case your device is lost or stolen. Apple's Find My and Microsoft's Find My Device handle this.

Network Security

If you work from a home office, make sure your Wi-Fi uses WPA3 (or at minimum WPA2) encryption with a strong password. If you work from coffee shops or co-working spaces, use a VPN. NordVPN or ExpressVPN runs $100 to $120 per year. This isn't optional when you're accessing client data on shared networks.

Pillar 3: Vendor Oversight

Your solo firm probably relies on five to ten third-party vendors: a custodian (Schwab, Fidelity, Pershing), a CRM (Wealthbox, Redtail), portfolio software (Orion, Black Diamond), email (Microsoft 365, Google Workspace), and maybe a financial planning tool (MoneyGuidePro, eMoney).

The amended Reg S-P requires you to oversee these service providers. That doesn't mean auditing Schwab's data centers. It means documenting three things for each vendor:

What client data they access or store. A simple spreadsheet works. Vendor name, data types shared, purpose.
What security commitments they've made. Most of your vendors publish SOC 2 reports or security whitepapers. Download them. If a vendor can't tell you how they protect your clients' data, that's a red flag.
How you'd respond if they had a breach. Know each vendor's breach notification process. Most custodians and major RIA software providers have incident notification clauses in their service agreements.

You're not expected to conduct on-site audits of Charles Schwab. You are expected to have done reasonable diligence and documented it. We cover this process in detail in our vendor management requirements guide.

Pillar 4: Incident Response Program

The amended rule explicitly requires a written incident response program. For a one-person firm, this doesn't need to be a 40-page playbook. It needs to answer four questions:

How will you detect a breach? Enable login alerts on all financial accounts. Review account activity weekly. Set up email alerts for new device sign-ins.
What will you do when you find one? Document your steps: isolate the affected system, change credentials, assess what data was exposed, preserve evidence.
Who will you notify? Your clients, the SEC (via Form ADV amendment if material), your custodian, and potentially state regulators depending on the data involved. Know the timelines. The amended Reg S-P requires notification no later than 30 days after detection.
How will you prevent it from happening again? After any incident, document what went wrong and what you changed.

The SEC wants to see that you've thought through these scenarios before they happen. Writing the plan forces you to think through your response while you're calm, not while you're panicking at 2 a.m.

For a step-by-step approach to building your incident response program, see our incident response plan guide.

The "Reasonableness" Standard: What the SEC Actually Expects

Here's the part that should let you sleep at night. The SEC uses a "reasonableness" standard for Reg S-P compliance. This means your security program must be appropriate to the size and complexity of your firm, the nature of your activities, and the sensitivity of the data you handle.

A solo RIA managing $100M in client assets through a single custodian has a fundamentally different risk profile than a multi-office firm with 200 employees, proprietary trading algorithms, and client data spread across 30 systems.

The SEC knows this. Their examination staff knows this. During an exam, they're looking for evidence that you've made a genuine, documented effort to protect client information proportionate to your firm's operations. They are not expecting a solo practitioner to have a dedicated security operations center.

What they will not accept: nothing. Having zero written policies, no documented procedures, and no evidence of security controls is the fastest way to receive a deficiency letter, or worse. The bar is reasonable, but it's not zero.

What This Costs: Budget Reality for Solo Firms

Let's talk real numbers.

DIY approach: $500 to $1,000 per year, plus 40 to 80 hours of your time. This covers a password manager ($10 to $36/year), a VPN ($100 to $120/year), and the rest of your time researching requirements and writing policies from scratch. The risk: you might miss something, and your time has real opportunity cost.

Compliance consultant: $5,000 to $15,000 for initial setup. A consultant will build your WISP, document your controls, and create your incident response plan. Good ones are thorough. But for a firm generating $200K to $500K in revenue, that's a significant percentage of gross income for a project you'll need to maintain yourself afterward. We break down these costs in our true cost of compliance analysis.

Purpose-built compliance toolkit: $299 (one-time, with RegShield). This is the middle path. You get pre-built policy templates tailored to your firm's specifics, a guided process for documenting your controls and vendor oversight, and an incident response framework you can customize in an afternoon. You still need to understand what you're signing, but you're not starting from a blank page.

Timeline: What to Do First

If you haven't started yet, here's your priority order:

This week: Enable MFA on every account that touches client data. Install a password manager. Verify your laptop encryption is on. These three steps take under two hours and address the highest-risk items immediately.

This month: Draft your WISP. Even a rough first version puts you ahead of firms with nothing documented. List your vendors and the client data each one handles.

Within 90 days: Complete your incident response plan. Conduct your vendor due diligence (download SOC 2 reports, review service agreements). Review your full program for gaps.

Ongoing: Review your WISP annually. Update vendor documentation when you add or change providers. Test your incident response plan once a year, even if it's just a tabletop walkthrough where you talk yourself through a hypothetical scenario.

The extended compliance timeline for small entities runs through approximately December 2026. That feels far away. It isn't. SEC examination staff have already started asking about Reg S-P compliance during routine exams, even before the formal deadline.

Stop Guessing, Start Documenting

Reg S-P compliance for a solo RIA is not the nightmare it appears to be on first read. The SEC designed the rule to scale. You don't need enterprise security. You need documented, reasonable controls that match the reality of your practice.

The firms that get in trouble aren't the ones with imperfect programs. They're the ones with no program at all.

RegShield's $299 compliance toolkit gives solo practitioners the templates, frameworks, and guided process to build a compliant program in hours, not weeks. Every document is tailored to your firm's specific details, so you're not submitting generic boilerplate that an examiner will see through immediately.

Your clients trust you with their financial future. Showing the SEC you take their data security seriously isn't just a compliance box to check. It's the right thing to do.

Frequently Asked Questions

Rees Calder

Rees is the founder of RegShield and CEO of Levity Leads Ltd. He works with small registered investment advisers to simplify SEC compliance, with a focus on making Regulation S-P requirements accessible and actionable for firms that lack dedicated compliance departments.

compliance10 min