Most RIAs do not fail Reg S-P exams because they ignored the rule. They fail because their documentation does not hold up when an examiner opens the file.
During an exam, an SEC examiner is not going to hack your network to see if it is secure. They are going to ask for your documents.
If you are trying to check the box with a generic template you downloaded for free, read this first.
Reg S-P requires a written information security program. That program is not a single document. It is five distinct deliverables, each with its own content requirements, each reviewed separately during an exam. A firm that has three of the five complete and two that are placeholder text is not “mostly compliant.” It is non-compliant in two areas.
Here is what each document must contain, and what an examiner concludes when they see the most common failure modes.
Document 1: The Written Information Security Program (WISP)
What It Is
The WISP is the governing document for your entire Reg S-P compliance program. It is not a policy memo or a procedural checklist. It is the framework that connects every other document in this list into a coherent, defensible program.
What It Must Contain
The WISP must identify the categories of customer information your firm collects and maintains, the specific risks to that information, and the administrative, technical, and physical safeguards your firm has implemented to address those risks. It must name responsible parties — not departments, not job titles in the abstract, but individuals with accountability. It must address vendor oversight, because Reg S-P holds the firm responsible for how third-party service providers handle customer data. And it must be reviewed and approved at the senior level on a documented, recurring schedule.
What an Examiner Thinks When They See This Gap
When a WISP is generic — when it reads like it was drafted for any firm in any industry with any risk profile — the examiner’s read is that no one at the firm actually analyzed their specific data environment. Generic language means the document was never operationalized. If the WISP says “we use encryption” but does not specify what is encrypted, at what layer, and under whose oversight, the examiner treats that as a gap, not a safeguard. A WISP that could belong to a 500-person broker-dealer is not an acceptable WISP for a 3-person RIA. The examiner knows the difference.
Document 2: The Incident Response Plan (IRP)
What It Is
The IRP is your documented process for detecting, containing, and responding to a security breach involving customer information. Under the amended Reg S-P rules, it is also the document that governs your 30-day customer notification obligation.
What It Must Contain
The IRP must define what constitutes a reportable incident under your program, who is responsible for each stage of the response (detection, containment, assessment, notification, remediation), how you determine whether customer notification is required, and how notification is executed within the 30-day window. It must include escalation paths and contact trees. A plan that says “the CCO will be notified of any breach” is not sufficient if you have no CCO. The IRP must reflect your actual organizational structure, not an assumed one.
What an Examiner Thinks When They See This Gap
An IRP without a notification workflow is the most common gap examiners find in this document. When the examiner sees a response plan that addresses containment but not notification, they flag it immediately — because the 30-day customer notification requirement is the headline enforcement provision of the amended rule. If your IRP does not have a clear, step-by-step notification procedure with responsible parties and timing triggers, the examiner concludes that your firm has not actually thought through how it would handle a real breach. They are right.
Document 3: The Updated Privacy Notice
What It Is
The annual privacy notice required by Reg S-P must be updated to reflect the firm’s current data practices and, where applicable, to align with Form ADV Part 2B disclosures. This is not a legacy document you update every few years. It is a living disclosure that must track your actual information sharing practices.
Note on Form ADV Part 2B alignment: Examiners cross-reference your privacy notice against your ADV Part 2B. Inconsistencies between what the notice says and what the ADV discloses are a separate finding, not a technicality.
What It Must Contain
The notice must describe what categories of customer information you collect, how you use it, with whom you share it, and under what circumstances. It must reflect opt-out rights accurately and completely. If your data practices have changed — a new custodian, a new portfolio management platform, a new CRM — the notice must reflect those changes before the next annual delivery, not at some future update cycle.
What an Examiner Thinks When They See This Gap
A privacy notice that was last updated in 2021 signals to the examiner that no one is actively managing it. They will pull your current vendor list, your current ADV, and your current notice and compare them side by side. If you added a new technology vendor in 2023 but your notice still describes a data environment from 2021, that is a material gap. The examiner’s view is that the firm does not have a living compliance program — it has a document that was filed once and forgotten.
Document 4: The Vendor Oversight Program
What It Is
Reg S-P explicitly holds covered institutions responsible for the data practices of their service providers. The Vendor Oversight Program is your documented system for vetting, contracting with, and monitoring the third parties who have access to customer information.
What It Must Contain
The program must include a process for assessing a vendor’s security posture before engagement, minimum contractual requirements (including data handling standards, breach notification obligations, and audit rights), and an ongoing monitoring process for vendors with access to sensitive customer data. It must also address what happens when a vendor relationship ends — specifically, how customer data is retrieved or destroyed, and how that destruction is documented.
What an Examiner Thinks When They See This Gap
Vendor oversight is where examiners find the most undefended exposure. When a firm cannot produce vendor contracts with data security addenda, the examiner knows the firm has outsourced both its operations and its risk management without retaining any contractual protection. A custodian agreement that does not specify breach notification timelines means the firm could be the last to know about a breach involving its own customers’ data. The examiner’s conclusion is not just a documentation gap — it is a signal that the firm’s risk awareness stops at its own perimeter.
Document 5: The Recordkeeping Framework
What It Is
A documented system for retaining all Reg S-P compliance records for six years. This document is what allows your firm to prove its program was operational — not just that policies existed on paper.
What It Must Contain
The framework must specify which records are retained, where they live, how they are organized, and how they can be retrieved for production during an exam. Records include: incident logs, vendor contracts and addenda, privacy notices with delivery records, IRP testing documentation, training records, and customer notification records from any breach. Each category must have a named custodian and a defined retention schedule. The framework is not a folder on a shared drive. It is a documented system with accountability and retrievability built in.
What an Examiner Thinks When They See This Gap
A firm without a recordkeeping framework cannot prove its compliance program ever existed operationally. The examiner’s finding is not “records missing” — it is “program non-operational.” You can have the world’s best IRP on paper; if you cannot prove you tested it, trained on it, or applied it, it is a decoration. Recordkeeping gaps convert every other documentation gap from a correctable deficiency into evidence of a pattern. When the examiner cannot pull records, they assume the worst about everything else.
What Five Complete Documents Actually Look Like
Each of these documents must be firm-specific. An examiner who reviews dozens of RIA compliance programs a year can identify a template in the first paragraph. Template language is not evidence of a working program. It is evidence that a program was assembled to satisfy a checklist, not to actually protect customer data.
The examiner’s standard is not whether the documents exist. It is whether the documents describe what your firm actually does, with your actual systems, with your actual people responsible for your actual risks.
All five documents, firm-specific and exam-ready, in 3 business days. See what a complete Reg S-P compliance package includes.