Five Documents. Defined Requirements. No Ambiguity.
What do you actually need to have? Under amended Reg S-P, the answer is five specific documents. No more, no less. Here is what each one must contain — and what distinguishes one that passes examination from one that doesn’t.
The compliance deadline for firms under $1.5 billion RAUM is June 3, 2026. The SEC has named Reg S-P incident response plan readiness as an explicit 2026 examination priority.
Document 1: The Written Incident Response Plan (IRP)
What It Is
The Written Incident Response Plan is the centerpiece of Reg S-P compliance. It is a comprehensive, operational document that defines how your firm detects, responds to, contains, and recovers from a data security incident involving customer personal information. “Written” and “plan” are both load-bearing words here — the rule requires a document, not a general orientation, and a plan, not a retrospective description of what you would probably do.
What It Must Contain
A complete, exam-ready IRP addresses these components:
- Scope and coverage: What types of data and systems the plan covers, including all categories of customer personal information your firm maintains and all systems that store or process that information
- Detection and identification: How your firm identifies that a security incident has occurred — what monitoring systems, alert mechanisms, and reporting channels exist
- Classification: How your firm determines the severity of an incident and whether it constitutes a “covered data event” triggering mandatory customer notification obligations
- Containment procedures: Step-by-step response actions for limiting the scope and impact of an incident in progress
- Eradication and recovery: Procedures for removing the source of a breach and restoring affected systems to normal operation
- Internal escalation chain: Named roles (not just generic titles) with specific responsibilities at each stage of incident response
- External notification obligations: Regulatory reporting requirements, including how and when to notify the SEC, and how to work with law enforcement if applicable
- Customer notification trigger: The specific threshold that triggers the 30-day customer notification obligation, and the handoff from the IRP to the Customer Notification Procedure
- Documentation requirements: What must be logged during and after an incident, to whom, and in what format
- Plan testing and review: How frequently the IRP is tested, how testing results are documented, and the review cycle for updating the plan
How Firm-Specific Customization Works
A compliant IRP is not a generic cybersecurity policy with your firm’s name at the top. It must reference your actual technology stack — the specific platforms and services that process your customers’ data. It must name the specific vendors whose breach notifications will trigger your response procedures. It must describe your actual escalation chain, which in a solo or small RIA may be a single principal who serves as both the responsible party and the incident response team.
A firm-specific IRP requires knowing your actual technology environment — your custodian, CRM, portfolio management software, email platform, and client portal. A generic IRP that says “contact your IT vendor” fails because it doesn’t name the actual vendor.
Document 2: Vendor Oversight Policy with 72-Hour Notification Addenda
What It Is
The Vendor Oversight Policy addresses the requirement that your firm’s service providers — entities with access to or custody of your customers’ personal information — be contractually obligated to notify your firm within 72 hours of discovering a security breach affecting that information. The policy has two components: the written Vendor Oversight Policy itself, and the contractual addenda that must be executed with each material service provider.
What the Policy Must Contain
- Vendor inventory: A documented list of all service providers with access to customer personal information, categorized by the type and sensitivity of information they handle
- Vendor risk assessment procedures: How your firm evaluates the security posture of service providers, including initial due diligence and ongoing monitoring
- Minimum contractual requirements: The specific contractual provisions your firm requires of all material service providers, including the 72-hour breach notification obligation
- Addendum execution process: How your firm obtains and documents signed addenda from service providers
- Vendor incident response integration: How notifications received from vendors trigger your firm’s IRP
- Vendor review cadence: How frequently vendor relationships are re-assessed for compliance with your policy requirements
The Pre-Drafted Addenda
72-hour notification addenda for Reg S-P compliance should be executed with the major service providers used by RIA firms. The most common vendors requiring addenda are:
- Schwab Advisor Services
- Fidelity Institutional
- Redtail Technology (CRM)
- Orion Advisor Technology
- eMoney Advisor
- Microsoft 365 (Exchange Online / SharePoint)
- Google Workspace
Each addendum is appended to your existing service agreement with the vendor and executed as an amendment. The language must meet Reg S-P’s requirements while being acceptable to the vendor’s contract management process. Executing these addenda requires initiating the amendment process with each vendor — this is the most time-consuming step in the compliance process and the primary reason starting early matters.
Document 3: Updated Privacy Notice
What It Is
The Updated Privacy Notice is the client-facing disclosure document that describes how your firm collects, uses, shares, and protects customer personal information. The original Reg S-P privacy notice requirements date to 2000. The amended rule requires that your Privacy Notice be current, accurate, and aligned with your Form ADV Part 2B disclosures and your actual data handling practices in 2026.
What Must Be Updated
Most small RIA Privacy Notices in circulation were drafted years ago and have not kept pace with the evolution of the firm’s technology environment. Common gaps include:
- Failure to disclose cloud-based service providers that now have access to customer data
- Outdated or inaccurate descriptions of data sharing categories
- No reference to customer data security practices or incident response capabilities
- Inconsistency with Form ADV Part 2B disclosures on data handling
- Missing opt-out rights or procedures that apply under applicable state privacy laws in addition to Reg S-P
How Firm-Specific Customization Works
The updated Privacy Notice must be drafted using information about your firm’s actual data collection practices: the categories of customer information you maintain, the service providers who have access to that information, and your security posture. The result is a notice that accurately describes your firm’s current data environment — not a generic notice that may over- or under-disclose.
Document 4: 30-Day Customer Notification Procedure
What It Is
The 30-Day Customer Notification Procedure is a written operational procedure that documents how your firm will notify affected customers within 30 calendar days of discovering a data security incident involving their personal information. This is a distinct document from the IRP — it is specifically focused on the customer notification obligation and must stand alone as an operational procedure that can be executed under the stress of an actual incident.
What It Must Contain
(1) Trigger definition — when does the 30-day clock start? (2) Decision authority — who determines that notification is required? (3) Notification template — the actual letter, pre-drafted in plain language. (4) Method of delivery — electronic for consenting clients, written for others. (5) State law overlay — identification of which state breach laws apply to which clients. (6) Documentation requirements — how and where the notification record is retained.
What Examiners Check
They look for a procedure that could actually be executed on Day 1 of a breach — not a description of what the firm would “try to do.” The notification letter template must be pre-drafted and ready. Having a pre-drafted template reduces the risk that a notification is sent late or contains inadequate information because the firm was drafting from scratch under incident pressure.
Document 5: Recordkeeping Framework
What It Is
The Recordkeeping Framework documents how your firm creates, maintains, and retains the records required under Reg S-P’s recordkeeping provisions. The amended rule requires that specific records related to your security program and any covered data events be maintained for a minimum of six years.
What It Must Contain
A documented system for retaining all Reg S-P compliance records for six years. This includes incident logs, vendor contracts and addenda, privacy notices with delivery records, IRP testing documentation, training records, and customer notification records.
What Examiners Check
The framework itself is less scrutinized than what it contains. Examiners will ask you to produce records from specific timeframes. The test is not whether you have a recordkeeping policy — it is whether you can produce the records.
The Recordkeeping Framework is a written policy that specifies: what records must be created, in what format, how they are stored (and in what systems), who is responsible for maintaining them, how they are organized and indexed for retrieval during an examination, and the six-year retention minimum. For a small RIA using cloud-based document management, the framework specifies the folder structure, access controls, and backup procedures that ensure records are preserved and retrievable.
What the Five Documents Do Not Cover
Honest scope limitations every RIA principal should understand:
- These documents do not execute vendor addenda on your behalf — you must initiate the amendment process with each vendor
- They do not provide ongoing compliance monitoring or annual review services
- They do not address compliance gaps beyond the five Reg S-P deliverables — if your firm has broader compliance program deficiencies, those are outside scope
- They do not substitute for legal counsel in the event of an actual data breach or SEC examination
Get Started Before the June 3 Deadline
The Mr. Fix It Geeks Reg S-P Compliance Package delivers all five required documents — Written IRP, Vendor Oversight Policy with pre-drafted addenda for major RIA service providers, Updated Privacy Notice, 30-Day Customer Notification Procedure with notification letter template, and Recordkeeping Framework — in three business days for a flat fee of $1,800. Thirty-minute intake. Three-day delivery. Firm-specific documents. Attorney-reviewed templates. Exam-ready.
Get your Reg S-P compliance package at mrfixitgeeks.com/reg-sp-compliance. Complete the intake questionnaire and have your documents in hand within three business days.