SEC Shares Amended Reg S-P Initial Document Request List

January 22, 2026

On January 22, 2026, the SEC held its final webinar on Amended Regulation S-P. This webinar focused on compliance issues for smaller entities with less than $1.5 billion in assets under management. Staff from the Division of Examinations, among others, reviewed the requirements of Amended Regulation S-P, provided an overview of how an exam on Amended Regulation S-P would be run, and shared a mock examination exercise in an effort to help advisers further understand how they should prepare for compliance.

This is yet another reminder that this amended rule is a top priority of the SEC. Firms of all sizes should ensure compliance with these requirements. Larger entities had a compliance deadline of Dec. 3, 2025, and smaller entities have a compliance deadline of June 3, 2026.

---

Initial Document Request List

In the webinar, the SEC spelled out the following items that will be included in their initial document request:

• Written Policies and Procedures addressing administrative, technical, and physical safeguards for the protection of customer information. Must include an Incident Response Plan and procedures for Vendor Management.
• Information technology managed service provider contract
• Risk Assessment related to technology/cybersecurity risk, controls, threats, vulnerabilities
• Incident Response Specific Requests
  • Incident Response Plan
    • Policies and Procedures that document registrant program to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures
    • Listing of staff, vendors, contractors, or other persons responsible for incident response activities
    • Listing of all tools that facilitate detection and monitoring of registrant’s network environment
  • Reports or supporting documentation that confirms monitoring of information systems, networks, and personnel activity to detect incidents
  • If registrant suffered a security incident during review period, provide documentation demonstrating their incident response program steps were followed for each incident

---

Risk Assessment and Data Mapping

Two other key subjects in the webinar were the importance of a thorough risk assessment and data mapping exercise. Although not included in the amended rule, the SEC reinforced the importance of firms conducting a thorough risk assessment. While many frameworks are acceptable, the SEC highlighted the NIST cybersecurity framework and reminded advisers to take into account their services, office space, and network footprint as part of the assessment.

Another consideration not formally included in the amended rule, but one the SEC may ask about during an exam, is the documentation of data location. Understanding where data is located allows a firm to ensure data is properly secured, the firm is maintaining adequate vendor oversight, and the firm can meet incident response obligations.

---

What does this mean for me?

This webinar sends a couple of clear messages. First, Amended Regulation S-P remains a priority, and the SEC is prepared to conduct exams on the items outlined in their mock exam list.

Second, although several cyber-related items are not included in a formal rule, the SEC still sees them as best practices and could very well appear on an examination request list. Advisers would be wise to build out and maintain a comprehensive cybersecurity program that meets these expectations.

Our team of SEC cyber experts builds and maintains comprehensive, sound cybersecurity programs for RIAs, including offering full support for all aspects of Amended Regulation S-P. Contact us today to get started.