By: E.J Yerzak
If you missed the SEC’s January Compliance Outreach on Regulation S-P, now is the time to catch up. The Commission has released the full recording, and while the session was billed as guidance for smaller firms, the message was unmistakable: cybersecurity and vendor oversight are now front and center in SEC examinations, regardless of firm size.
With larger firms already required to comply with the amended Regulation S-P by December 2025, and smaller advisers facing a fast-approaching deadline of June 2026, SEC staff offered a rare, practical look into how they plan to examine cybersecurity programs in the coming months. The takeaway is clear: the SEC is no longer satisfied with paper policies. They want evidence that your cybersecurity program is operational, tested, owned, and overseen by clearly defined individuals.
Below are the most important insights RIAs should be acting on now.
The SEC’s New Reg. S-P Document Requests: Proof, Not Promises
During the Compliance Outreach session, SEC staff described several of the items they are frequently requesting during regulatory examinations. The new requests include the following:
- Your Compliance Manual
- Written cybersecurity policies and procedures addressing administrative, technical, and physical safeguards
- Managed Service Provider (MSP) contracts
- Organizational charts
- A list of all staff, vendors, contractors, or other persons responsible for incident response activities
- Cybersecurity risk assessments
- A formal incident response plan (including customer notification procedures)
- A list of security tools for detection and monitoring
- Evidence that monitoring is functioning
- If applicable, documentation showing incident response steps were followed for security incidents
What’s telling is not just what the SEC is requesting, but why. Examiners are looking to confirm who is responsible for handling incidents as well as how incidents are managed. They aren’t simply asking what tools you use or what your policies say. They want proof that your tools are enabled, monitored, and effective, and that written procedures are being followed in real-world situations.
In short, paying lip service to cybersecurity controls without backing them up with risk assessments and evidence of effective monitoring is unlikely to pass an exam anymore.
Who the SEC Wants to Interview, and Why it Matters for Small Firms
The SEC also outlined the roles they expect to interview during Reg. S-P examinations, including:
- Chief Compliance Officer (CCO)
- Chief Information Officer (CIO)
- Chief Technology Officer (CTO)
- Outsourced Information Technology Staff
For many smaller RIAs, this may sound unrealistic, especially since individuals at smaller firms often wear multiple hats. However, the SEC’s request for a detailed organizational chart along with cyber policies strongly suggests that it is less concerned with job titles and more focused on how responsibilities are structured and overseen.
Investment advisers aren’t expected to be experts at everything. Firms can outsource a function, even though they retain fiduciary responsibility to their clients. As one panelist noted, “having someone who understands the products, understands the technology solutions that can protect your environment is critical… it’s always helpful to have a third-party objective person who is knowledgeable” and that “having a third-party…that can validate what your [MSP] vendor is doing is helpful.”
Likely Questions During Your Next Exam
The Compliance Outreach event also previewed specific questions on the minds of the regulator when they visit your firm:
- How do you ingest, utilize, and decommission customer data?
- If you’re using Microsoft 365, do you have Data Loss Protections (DLP) in place? Have you actually enabled the control or module, or have DLP controls not been turned on yet?
- If you’re using a custodian, do clients register with that custodian directly? How do the custodians get the client data?
- If you leverage a CRM or other cloud-based platforms to store customer information, how do you monitor access controls to that cloud-based platform?
- Do you know how data flows within your organization?
- What oversight do you have over your service provider? Does your agreement give you authority to request status updates?
- What logs do you maintain regarding access and detection, and how long do you retain logs?
The above questions aren’t just theoretical or high-level policy inquiries. They are designed to test how well cybersecurity is integrated into day-to-day operations and not just addressed as a checkbox during annual reviews.
Incident Response Requirements Apply to Private Fund Advisers Too
Finally, the SEC clarified a point in response to an audience question. Private fund advisers are not automatically exempt from incident response requirements.
Under the Gramm-Leach-Bliley Act (GLBA), private funds are “financial institutions” and fall within the FTC’s jurisdiction. The FTC has its own Safeguards Rule. However, when those private funds obtain data about individuals and provide that information to the registered adviser to those funds, the adviser now has access to customer data from a financial institution, bringing the adviser within the scope of the SEC’s Regulation S-P.
The Bottom Line
The SEC has made its examination priorities for 2026 unmistakable. Cybersecurity is no longer a niche topic in exams. It is now a core examination focus. For smaller firms in particular, the window to prepare is closing fast.