What SEC Examiners Look For in a Reg S-P Examination

The amended Regulation S-P is in force for every SEC-registered adviser, and the Division of Examinations has named it a fiscal year 2026 examination priority. This guide walks through what examiners actually request, the deficiencies they cite most often, and how to get your firm exam-ready before the request list arrives.

An SEC examination is not a pop quiz on the rule text. It is a documentary exercise. Examiners ask for specific records, compare what the documents say against what your firm actually does, and write up every gap they find. Firms that pass do so for an unglamorous reason: they can produce current, firm-specific documentation quickly, and that documentation matches reality.

That standard is now being applied to Regulation S-P. The compliance dates passed in December 2025 for larger entities and June 2026 for smaller entities, so there is no grace period left to point to. What matters now is whether your safeguards exist, work, and are documented.

Why Reg S-P Exams Are Happening Now

Three things converged to put Reg S-P at the top of the examination agenda:

1. The rule is fully in force. The amendments adopted in May 2024 (Release No. 34-100155) now apply to every SEC-registered adviser, regardless of size. Examiners no longer need to ask whether you are required to comply. Everyone is.
2. It is a named FY2026 priority. The Division of Examinations publishes its priorities each year, and the amended Reg S-P safeguards appear in the FY2026 list. Priorities translate directly into document request items.
3. Customer data incidents keep happening. Breaches involving advisory firms and their vendors are exactly the harm the amended rule was designed to address, which makes it an easy area for examiners to justify probing deeply.

For small firms, there is an uncomfortable corollary. Examiners know that larger firms had an earlier compliance date and more resources. The firms most likely to have gaps now are smaller advisers who treated the June 2026 date as the finish line rather than the starting line.

The Reg S-P Document Request List

When an exam begins, you receive a notification and an initial document request list. Based on what the amended rule requires, the Reg S-P portion of that list will typically include:

• Your written incident response program, including procedures for assessing the nature and scope of an incident, containing it, and notifying affected individuals.
• Service provider oversight documentation: your vendor inventory, due diligence records, and the contractual or monitoring safeguards for each provider with access to customer information.
• Breach notification procedures and templates, with evidence you can meet the 30-day notification standard after determining sensitive customer information was, or was likely, accessed without authorization.
• Records of any actual incidents during the review period and documentation of how the firm responded.
• Evidence of testing: tabletop exercises, walkthroughs, or other operational tests of the incident response program.
• Your annual compliance review documentation showing Reg S-P was assessed for adequacy and effectiveness under Rule 206(4)-7.
• Records demonstrating retention practices consistent with the rule's recordkeeping requirements.

Read that list twice. The pattern is that roughly half the items are not the policies themselves but evidence that the policies operate. A firm that bought or drafted documents and filed them away can satisfy the first half of the list and fail the second half completely. The four core documents are covered in our guide to the four documents every RIA needs.

The Five Deficiencies Examiners Cite Most

Examination findings in the safeguards area follow a predictable pattern. These are the failure modes to check your own firm against.

1. Generic Policies That Do Not Match the Firm

The most common finding, and the easiest to spot. Policies that reference departments the firm does not have, describe technology the firm does not use, or assign responsibilities to roles that do not exist. Examiners read these as evidence the firm never operationalized its program. A two-person RIA whose incident response plan references a "Security Operations Center" has told the examiner everything they need to know.

2. No Evidence of Testing

A written incident response program with no record of ever being exercised is presumed ineffective. The fix is cheap: run a tabletop exercise once a year, document who attended, what scenario you walked through, and what you changed afterward. Our incident response plan guide includes how to structure one.

3. Stale or Missing Vendor Oversight

Examiners compare your vendor inventory against reality: the custodian, the CRM, the email provider, the portfolio management system, the IT contractor. Vendors added since the policies were written, or oversight files that contain nothing beyond a signed contract, are routine findings. What the rule expects is covered in our vendor management requirements guide.

4. Notification Procedures That Cannot Meet the Clock

The 30-day customer notification standard is concrete, which makes it easy to examine. If your procedures do not identify who decides that notification is required, who drafts and sends it, and how you locate affected customers, the procedure fails on paper before any incident tests it in practice.

5. Recordkeeping Gaps

The quiet deficiency. The firm did the work but cannot produce the records: no dated annual review summary, no incident log, no retained copies of prior policy versions. In an exam, work you cannot document is work that did not happen.

How the Exam Unfolds

A typical examination follows a recognizable arc:

1. Notification and request list. You usually have one to two weeks to produce the initial documents. Speed and completeness of production set the tone for everything that follows.
2. Staff review and follow-up requests. Examiners compare documents against each other and against your Form ADV. Inconsistencies generate follow-up questions.
3. Interviews. Examiners speak with the CCO and relevant staff. A classic technique is asking an employee to describe what they would do during a data incident and comparing the answer to the written plan.
4. Exit and findings. The exam concludes with either no findings, an exit interview describing issues, or a deficiency letter.
5. Deficiency letter response. You generally have 30 days to respond in writing with corrective actions. Serious or repeated findings can be referred to the Division of Enforcement. For what that escalation looks like, see our analysis of SEC enforcement after the Reg S-P deadline.

Getting Exam-Ready in 30 Days

If you received a request list today, could you respond within two weeks? If not, here is the practical sequence:

• Week 1: Close the document gap. If you do not have the four required documents, or have generic templates that do not describe your firm, fix that first. Everything else builds on firm-specific policies.
• Week 2: Build the evidence layer. Run and document a tabletop exercise. Update your vendor inventory and confirm an oversight record exists for each provider with data access. Start an incident log, even if it has zero entries.
• Week 3: Run the annual review. Test your Reg S-P program for adequacy and effectiveness and write the dated summary. Our annual Rule 206(4)-7 review guide gives you the checklist.
• Week 4: Do a mock production. Pull every item on the request list above into one folder and time yourself. Whatever you cannot produce in a day is your remaining exposure.

This sequence works because it mirrors how the exam itself will proceed: documents first, then evidence, then the review trail, then production speed.

The Cost Asymmetry

Preparing for a Reg S-P exam is measured in hours. Failing one is measured in months. A deficiency letter means drafting a formal response, implementing remediation under scrutiny, and potentially a follow-up exam to verify the fixes. An enforcement referral is an order of magnitude worse. Compare that with the cost of getting compliant in the first place, which we break down in our true cost of Reg S-P compliance analysis.

RegShield generates the four required Reg S-P documents tailored to your firm in about fifteen minutes for a one-time $299, backed by a 30-day money-back guarantee. Firm-specific documents will not pass an exam by themselves, but they remove the largest and most commonly cited deficiency, and they make the evidence layer far easier to build because the policies actually describe your firm.

The examiners are not coming with trick questions. They are coming with a checklist. You can read the checklist above. The only question is whether you work through it before they do.

Frequently Asked Questions

Is Reg S-P an SEC examination priority? Yes. The SEC's Division of Examinations named the amended Regulation S-P among its fiscal year 2026 examination priorities. Now that the compliance dates have passed for all SEC-registered advisers, examiners are reviewing whether firms have actually implemented the required safeguards, not just whether documents exist.

What documents will SEC examiners request for Reg S-P? Expect requests for your written incident response program, service provider oversight policies and vendor inventory, breach notification procedures and templates, customer information safeguards, records of any security incidents and the firm's response, evidence that the program has been tested, and documentation of your annual compliance review.

What is a deficiency letter? A deficiency letter is the written summary of findings the SEC staff sends after an examination, identifying rule violations or weaknesses in your compliance program. Firms typically must respond in writing within 30 days describing corrective action. Unaddressed or serious deficiencies can be referred to the Division of Enforcement.

What are the most common Reg S-P deficiencies? The recurring findings are generic policies that do not match the firm's actual operations, incident response programs with no evidence of testing, missing or stale vendor oversight documentation, breach notification procedures that cannot meet the 30-day standard, and recordkeeping gaps where the firm cannot produce required documentation on request.

How long do I have to fix issues found in an SEC exam? Firms are generally asked to respond to a deficiency letter within 30 days, describing the corrective actions taken or planned. Examiners may verify remediation in a follow-up exam, so the response needs to reflect real changes, not just promised ones.