Reg S-P Cybersecurity Controls: What Every RIA Must Implement

The Gap Between Policy and Practice

Updated June 2026: the Reg S-P compliance dates have passed and the rule is now in force, named an SEC FY2026 examination priority.

In its FY 2025 examination sweep, the SEC found that nearly 40% of examined RIAs had cybersecurity policies that did not match their actual implementations. The firms had documentation. They had binders full of procedures. What they did not have was evidence that any of it was being followed.

The amended Regulation S-P is designed to close that gap. The smaller-entity compliance date was June 3, 2026, and it has now passed, so the rule is live for every SEC-registered adviser.

This guide covers the specific technical controls you need to implement, what the SEC actually looks for during examinations, and how to get it done on a small-firm budget. If you need background on the rule itself, start with our overview of Reg S-P for small RIAs.

What the Amended Rule Actually Requires

The SEC amended Regulation S-P in May 2024, updating the Safeguards Rule for the first time in over two decades. The amended rule requires firms to implement "administrative, technical and physical safeguards" that are "reasonably designed to ensure the security and confidentiality of customer information."

Large RIAs (those with $1.5 billion or more in assets under management) had to comply by December 3, 2025. Smaller RIAs had until June 3, 2026. Both dates have now passed. The SEC has announced that its FY 2026 examination priorities include cybersecurity controls, AI-related risks, and operational resiliency, with Reg S-P named explicitly. Translation: they are here.

The rule does not prescribe a specific technology stack. Instead, it requires you to conduct a risk assessment and implement controls appropriate to your firm's size, complexity, and the sensitivity of the data you handle. That said, examination findings and enforcement actions make it clear what "reasonable" looks like in practice.

Here are the eight control areas you need to address.

1. Encryption

What the SEC expects: Client data must be encrypted both at rest (stored on devices, servers, and backups) and in transit (moving across networks).

The minimum you need:

• At rest: AES-256 encryption on all devices that store client data. This includes laptops, desktops, external drives, USB drives, and backup media. Most modern operating systems support full-disk encryption natively: BitLocker on Windows, FileVault on macOS.
• In transit: TLS 1.2 or higher for all web-based systems, email transmission, and file transfers. If your email provider still supports TLS 1.0 or 1.1, that is a finding waiting to happen.
• Cloud storage: Verify your cloud provider encrypts data at rest by default. Most do (AWS, Azure, Google Cloud all use AES-256), but you need to confirm it and document the verification.
• Email: Use a provider that supports TLS for server-to-server email delivery. For sensitive client communications, consider end-to-end encrypted email or a secure client portal.

Budget-friendly approach: BitLocker and FileVault are free. TLS is standard on any modern email provider (Microsoft 365, Google Workspace). The cost here is configuration time, not software. Block unencrypted USB drives via Group Policy or MDM. Total cost for a small firm: $0 to $50 per month for an MDM tool.

2. Multi-Factor Authentication

What the SEC expects: MFA on every system that accesses, stores, or transmits client data. This is the single most-cited deficiency in SEC cybersecurity examinations.

The minimum you need:

• MFA on your custodian portal (Schwab, Fidelity, Pershing)
• MFA on your CRM (Redtail, Wealthbox, Salesforce)
• MFA on email (Microsoft 365, Google Workspace)
• MFA on cloud storage and file sharing
• MFA on your portfolio management system
• MFA on remote desktop or VPN connections

Types of MFA, ranked by security:

1. Hardware security keys (YubiKey, Titan): Best protection. Phishing-resistant. About $50 per key.
2. Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy): Good protection. Free. The SEC considers these acceptable.
3. SMS codes: Better than nothing, but vulnerable to SIM-swapping attacks. The SEC has not explicitly banned SMS-based MFA, but examiners have flagged it as a weakness. Use authenticator apps instead where possible.

Budget-friendly approach: Authenticator apps cost nothing. Most business software includes MFA at no extra charge; you just have to turn it on. A Saturday afternoon enabling MFA across all your systems is one of the highest-value compliance activities you can do.

3. Access Controls

What the SEC expects: The principle of least privilege. Every person gets access only to the data and systems they need for their specific role.

The minimum you need:

• Unique user IDs for every person. No shared logins. No "office" accounts. Every action must be traceable to an individual.
• Role-based access control (RBAC): Define roles (advisor, operations, compliance, admin) and assign permissions by role. Your paraplanner does not need access to the trading platform. Your receptionist does not need access to client Social Security numbers.
• Regular access reviews: Audit who has access to what, at minimum annually. Quarterly is better. Remove access immediately when someone leaves the firm or changes roles.
• Password policies: Minimum 12 characters, complexity requirements, no password reuse. Consider a business password manager (1Password Business, Dashlane Business) to make this practical.
• Privileged access management: Admin accounts should be separate from daily-use accounts. If you are the firm owner and also the IT admin, use different credentials for each role.

Budget-friendly approach: Most cloud platforms (Microsoft 365, Google Workspace) include role-based access controls in their business plans. A password manager runs $5 to $8 per user per month. The real cost is the time to document your roles and permissions, which you need to do anyway for your four required Reg S-P documents.

4. Patch Management

What the SEC expects: A documented process for applying security updates to all software and operating systems. "We update when we remember" is not a process.

The minimum you need:

• Critical security patches: Applied within 14 days of release. Critical means the vendor rates it as critical or high severity, or CISA adds it to the Known Exploited Vulnerabilities catalog.
• Routine patches: Applied within 30 days of release.
• End-of-life software: If the vendor no longer issues security updates, you must migrate off it. Running Windows 10 after October 2025 without Extended Security Updates is a compliance gap.
• Documentation: Keep records of what was patched and when. A simple spreadsheet works. An RMM tool is better.

Budget-friendly approach: Enable automatic updates on Windows and macOS. For a firm with fewer than 10 devices, that covers 80% of the requirement. If you want centralized visibility, a remote monitoring and management (RMM) tool like NinjaOne or Datto starts around $3 per device per month.

5. Network Security

What the SEC expects: Your network should prevent unauthorized access to client data.

The minimum you need:

• Firewall: A business-grade firewall between your network and the internet. Consumer-grade routers from your ISP are not sufficient. A Ubiquiti Dream Machine or Fortinet FortiGate entry-level appliance costs $200 to $500.
• Network segmentation: Guest Wi-Fi must be isolated from your business network. Client data systems should ideally sit on their own VLAN, separate from general office traffic.
• VPN for remote access: If employees work remotely or access client data from home, they must connect through a VPN or use a zero-trust network access solution. No accessing client data over coffee-shop Wi-Fi without encryption.
• Wireless security: WPA3 (or at minimum WPA2-Enterprise) on all wireless networks. No open or WEP networks anywhere in your office.

Budget-friendly approach: For a firm under 15 people, a Ubiquiti UniFi setup provides enterprise-grade networking (firewall, VLANs, VPN, wireless) for under $1,000 total hardware cost. Cloud-based VPN services like Tailscale offer free tiers for small teams.

6. Endpoint Protection

What the SEC expects: Anti-malware and threat detection on every device that touches client data. This includes employee-owned devices if you allow BYOD.

The minimum you need:

• Anti-malware software: On every workstation and server. Windows Defender (built into Windows 11) is acceptable for small firms when properly configured with cloud-delivered protection enabled.
• Endpoint detection and response (EDR): A step beyond basic antivirus. EDR tools monitor for suspicious behavior, not just known malware signatures. Options like SentinelOne, CrowdStrike, or Microsoft Defender for Business provide this capability.
• BYOD policy: If employees use personal devices for work, you need a written policy covering minimum security requirements: device encryption, screen lock, anti-malware, remote wipe capability, and prohibited activities.
• Mobile device management (MDM): For firms that issue company devices or allow BYOD, an MDM solution lets you enforce security policies remotely. Microsoft Intune is included with Microsoft 365 Business Premium.

Budget-friendly approach: Windows Defender is free and scores well in independent testing. Microsoft 365 Business Premium ($22 per user per month) includes Defender for Business (EDR), Intune (MDM), and Azure AD Premium for conditional access policies. For a five-person firm, that is $110 per month for endpoint protection, device management, and identity security bundled together.

7. Logging and Monitoring

What the SEC expects: You must maintain audit logs of who accessed client data, when, and what they did. The amended rule requires a minimum five-year retention period for records related to your information security program.

The minimum you need:

• Access logs: Record every login, logout, failed login attempt, and file access for systems containing client data. Most business software generates these logs; you just need to make sure they are turned on and retained.
• Log retention: Five years minimum. Configure your systems to retain logs for this period or export logs to a separate storage system. Cloud storage for log archives is cheap (pennies per gigabyte per month).
• Regular review: Someone at your firm must actually look at the logs. At minimum, review access logs monthly for anomalies: logins at unusual times, access from unexpected locations, multiple failed login attempts. Document these reviews.
• Alerting: Configure alerts for high-risk events: admin account logins, access from new devices or locations, multiple failed authentication attempts. Most identity providers (Azure AD, Google Workspace) include basic alerting.

Budget-friendly approach: The logging capabilities built into Microsoft 365 and Google Workspace cover most small firms. For the five-year retention requirement, export logs quarterly to a cloud storage bucket (Azure Blob, AWS S3, or even a Google Drive folder). The gap most firms have is not generating logs; it is retaining them long enough and actually reviewing them.

8. Employee Training

What the SEC expects: Annual cybersecurity awareness training for all employees. Document who completed it and when.

The minimum you need:

• Annual training: Cover phishing identification, password hygiene, social engineering, data handling procedures, and incident reporting. Every employee, including the firm owner.
• Phishing simulations: Send simulated phishing emails at least quarterly. Track who clicks. Provide additional training for repeat clickers. This is one of the first things examiners ask about.
• New hire training: Cybersecurity training within the first week of employment, before they get access to client data systems.
• Documentation: Maintain records of training dates, content covered, and completion by each employee. Sign-off sheets or LMS completion records both work.
• Policy acknowledgment: Employees should sign an acknowledgment of your information security policies annually.

Budget-friendly approach: KnowBe4 offers a plan for small businesses starting around $10 per user per month that includes training modules and phishing simulations. Free alternatives exist (Curricula offers a free tier), but the paid options provide better documentation and reporting for examiner requests.

Common Mistakes That Trigger SEC Findings

Policies without implementation. Having a 40-page cybersecurity policy that nobody follows is worse than having a five-page policy that you actually execute. Examiners compare what your policies say against what your systems show. The gap between the two is where enforcement actions live.

Ignoring vendor risk. Your cybersecurity is only as strong as your weakest vendor. If your cloud CRM gets breached because they had poor security, you are still responsible for the client notification. See our vendor management requirements guide for what the SEC expects here.

No incident response testing. Having an incident response plan is required. But the SEC also expects you to test it. Run at least one tabletop exercise per year. Document the results and any improvements you made.

Incomplete asset inventory. You cannot protect what you do not know about. Maintain a current list of every device, application, and cloud service that stores or processes client data.

Treating compliance as a one-time project. The amended rule requires ongoing monitoring and periodic review. Standing everything up once and never touching it again will not pass an exam. Fold Reg S-P into your mandatory annual Rule 206(4)-7 written compliance review so the controls stay current.

Your Catch-Up Action Plan

If your firm is not yet compliant, here is the priority order. Work through it in sequence, not all at once.

First: Enable MFA everywhere. Start full-disk encryption on all devices. Document your current controls in a written information security program.

Next: Conduct access reviews and remove unnecessary permissions. Set up audit logging and configure log retention. Run your first employee training session.

Then: Review vendor security. Verify network security controls. Run a phishing simulation. Test your incident response plan.

Finally: Documentation review. Ensure all policies are signed, training records are filed, and your four required documents are complete and current.

Most of these controls should already be in place. The rule is in force, so "late" still beats "non-compliant," and every day of delay adds exam exposure. For a look at what enforcement looks like for non-compliant firms, read our enforcement guide.

Get Compliant Now

RegShield generates your complete Reg S-P compliance documentation, including your written information security program, incident response plan, vendor oversight policies, and breach notification procedures, all tailored to your firm's size and setup. It costs less than a single hour of compliance consulting.

Check your readiness with our free compliance assessment, or get started with RegShield to have your documents ready in under an hour.