Regulation S-P Amendments for Smaller Firms

With the June 3, 2026, compliance date for smaller entities approaching, firms are increasingly focused on whether their programs align with the requirements introduced under the 2024 amendments to Regulation S-P.

Many firms are evaluating whether they can demonstrate how customer information is safeguarded, how incidents are handled, and how third-party relationships are governed. While these expectations are not new in concept, firms are expected to face greater scrutiny during examinations in these areas.

The SEC has provided guidance on areas of focus in examinations, including policies and procedures, internal controls, vendor oversight, and incident response capabilities. In this context, firms should be prepared not only to provide documentation, but also to explain how their programs operate in practice.

What an SEC Exam Is Likely To Focus On

Examination staff are expected to ask for documentation around how the firm safeguards customer information, detects and responds to incidents, and oversees third-party service providers. These areas are often evaluated through specific documentation requests and follow-up discussions.

1. Detection and Prevention Controls

Examination staff may request an overview of the firm’s controls designed to detect and prevent unauthorized access to or use of customer information, including:

• Examples of system-generated alerts, monitoring reports, or exception logs.
• A list of tools and systems used to monitor networks and user activity.
• Documentation demonstrating how monitoring activities are performed and reviewed.

The focus is generally not on prescribing specific detection technologies or controls, but on understanding whether the firm has a defined and reasonable approach to identifying and escalating potential issues.

2. Customer Information Protection and Data Governance

Staff may request information on security policies and procedures, including documentation relating to:

• Data governance frameworks
• Data inventory and data mapping
• Data classification, including sensitivity or risk levels and associated controls
• Safeguards for protecting customer information
• Data retention and disposal practices

In addition, firms may be asked to provide organizational charts to clarify roles and responsibilities across compliance, IT, and operations. These materials are used to assess whether the firm can clearly describe what customer information it maintains, where it resides, how it is classified, and how it is protected.

3. Risk Assessment and Risk Matrix

Examination staff may request documentation demonstrating how the firm assesses and manages cybersecurity and technology-related risks, including:

• Formal risk assessments that address threats, vulnerabilities, and controls.
• Risk matrices or similar frameworks that evaluate and prioritize risks.
• Documentation showing how identified risks are mitigated or monitored over time.

This allows staff to assess whether the firm has a structured approach to identifying and managing risks related to customer information.

4. Vendor and Service Provider Oversight

Where third parties are involved, examination requests may include:

• Vendor inventories identifying where customer information is stored or processed.
• Due diligence documentation and monitoring records.
• Contracts or agreements, including IT Managed Services Provider (MSP) arrangements.
• Contractual provisions related to data protection, data destruction, audit rights, and incident notification.

This helps staff to assess whether the firm has visibility into third-party relationships and whether contractual and oversight mechanisms align with how customers’ information is handled.

5. Incident Response

Firms may be asked to provide incident response documentation and supporting materials, including:

• Incident Response Plans (IRPs) and related policies and procedures
• Documentation describing how the firm detects, responds to, and recovers from unauthorized access to customer information
• Incident assessment and classification frameworks
• Evidence of testing, such as tabletop exercises
• Defined roles and responsibilities, including listings of personnel, vendors, or other parties involved in incident response, supported by organizational charts (where applicable)
• Records of past incidents, including documentation demonstrating how incidents were identified, escalated, investigated, and resolved, and whether response procedures were followed

Examination staff may also request that firms walk through how an incident involving customers’ information would be handled in practice, including how decisions regarding customers would be made.

A Practical Readiness Check

As firms prepare for the smaller entity compliance date, one useful approach is to assess whether key elements of the program would withstand examination scrutiny.

At a high level, firms may consider whether they can answer “yes” to questions such as:

1. Detection and Prevention Controls

• Are there defined controls to detect unauthorized access to customer information?
• Can the firm produce alerts, reports, or other evidence demonstrating how monitoring operates in practice?

2. Customer Information Protection and Data Governance

• Can the firm clearly describe what customer information it maintains, where it resides, and how it is classified?
• Are controls applied based on the sensitivity or risk level of the data?
• Does the firm have a clear understanding of how the data flows across systems or third parties?

3. Risk Assessment

• Does the firm perform formal risk assessments related to cybersecurity and customer information?
• Is there a defined method? (e.g., a risk matrix, to evaluate and prioritize risks)

4. Vendor and Service Provider Oversight

• Does the firm maintain visibility into which third parties handle customer information?
• Are vendor due diligence, monitoring, and contractual protections documented for third parties handling customer information?
• Are there appropriate expectations in place regarding data protection and incident notification?

5. Incident Response

• Are there defined processes to identify, assess, and escalate incidents involving customer information?
• Can the firm explain how an incident would be handled in practice, including decision-making around customer notification?

6. Evidence and Documentation

• Could the firm produce supporting documentation that reflects how controls operate in practice?
• Is there consistency between policies, contracts, and day-to-day operations?

The amended Regulation S-P introduces more explicit expectations around safeguarding customer information, incident response, and third-party oversight. While policies and procedures remain foundational, examinations are likely to assess how those controls are implemented, maintained, and reflected. Firms that rely on generic templates, incomplete vendor oversight, or untested incident response processes may face increased scrutiny during an examination.

Smaller firms should be working now to prepare for the upcoming compliance date.