Every year, the SEC’s Office of Examinations publishes its examination priorities for the coming year. In 2026, the relevant section for registered investment advisers is not buried in the document — it is prominent, specific, and unambiguous. The SEC is checking Reg S-P compliance. They are looking specifically for written Incident Response Plans. Firms without documentation in order are receiving deficiency letters.

What the SEC’s 2026 Exam Priorities Actually Say

The SEC’s 2026 examination priorities for registered investment advisers explicitly call out cybersecurity and data protection as a focal area, with specific emphasis on compliance with the amended Reg S-P Safeguards Rule (Release No. 34-100155). The priorities document identifies Incident Response Plan readiness as a specific examination focus — meaning examiners are not approaching Reg S-P as a background inquiry. They are coming in with Reg S-P as a primary agenda item.

For small and mid-size RIA firms — those under $1.5 billion in RAUM with a June 3, 2026 compliance deadline — this creates a specific examination risk that many firms are not adequately prepared for. The compliance deadline and the examination cycle are not synchronized. Examiners are reviewing Reg S-P compliance now, before the June 3 deadline, in anticipation of what the examination landscape will look like after that date. Firms that cannot demonstrate meaningful progress toward compliance are receiving deficiency comments even when the formal deadline has not yet passed.

The Specific Items Examiners Are Flagging

Based on deficiency letters and examination findings from the current examination cycle, examiners are specifically reviewing:

  • Whether a written Incident Response Plan exists and is firm-specific — not a downloaded template with the firm name substituted
  • Whether the IRP includes all required elements: detection procedures, containment steps, notification timeline, customer notification procedure, and recordkeeping obligations
  • Whether covered service providers have signed 72-hour notification addenda — unsigned templates and follow-up notes do not satisfy this requirement
  • Whether the firm’s privacy notice has been updated to reflect current practices and is consistent with ADV Part 2B disclosures
  • Whether records are maintained in compliance with the six-year retention requirement, with version history and retrieval structure that supports examination production
  • Whether the firm can produce documentation demonstrating that its compliance program is operational — not just written

Being Technically Compliant vs. Being Exam-Ready

Technical compliance means you have taken actions that satisfy the legal requirements of the rule. You have written an IRP, a vendor oversight policy, and the other required documents. The rule’s requirements are technically satisfied.

Exam readiness means your documentation is organized, accessible, internally consistent, and written specifically enough that an examiner can confirm compliance without interpreting ambiguous language in your favor. An exam-ready firm produces any requested document within 30 minutes. An exam-ready firm’s IRP names specific people in specific roles. An exam-ready firm’s vendor oversight file contains signed addenda — not unsigned templates and a note saying “need to follow up with MSP.”

The gap between technical compliance and exam readiness is where deficiency letters live. Examiners reviewing a firm’s first attempt at Reg S-P documentation are experienced at identifying documents written to check a regulatory box rather than describe how the firm actually operates. They have reviewed hundreds of these documents. They know the difference between a plan written for this firm and a plan that was downloaded and lightly edited.

What an Examiner Actually Does When They Review Your IRP

When an examiner reviews your Incident Response Plan, they are reading it as an auditor looking for gaps and inconsistencies — not as a compliance practitioner looking for ways to give you credit. The typical review process includes:

  • Checking whether the document identifies a specific person (not just a role) responsible for incident response — if that person is no longer at the firm, that is a deficiency
  • Verifying that the 30-day customer notification requirement is specifically proceduralized with a timeline and content requirements — not just referenced
  • Cross-referencing the IRP against the vendor oversight policy — do these documents connect to each other or operate in isolation?
  • Looking for evidence that the plan has been reviewed and updated — a plan with a creation date of January 2026 and no revision history is a flag
  • Asking whether the firm has tested or tabletop-exercised the plan — if the answer is no, that is noted

The Deficiency Letter: What Happens When You Fail

A deficiency letter from the SEC is a formal written notification identifying areas where your firm’s practices do not comply with applicable regulations. It is not a criminal charge or a fine — but calling it “just a deficiency letter” understates the consequences.

Immediate Consequences

  • You must respond in writing within the timeframe specified — typically 30 to 60 days — with a plan for remediation
  • The deficiency becomes part of your examination record; subsequent exams will check whether you addressed it
  • Repeated deficiencies in the same area, or failure to remediate, can escalate to enforcement referrals
  • The deficiency letter creates documentation of a compliance failure that may be relevant in other regulatory proceedings or client disputes

Operational Consequences

  • Remediating a deficiency after the fact is almost always more expensive than getting compliant before the exam — you are now on a deadline with scrutiny attached
  • The remediation period is time-consuming for a solo or small RIA principal managing client obligations simultaneously
  • During remediation, the firm remains in heightened examination risk status

Reputational and Business Consequences

  • Some deficiency information becomes publicly available through regulatory databases, affecting client trust
  • In competitive client acquisition scenarios, a compliance deficiency history is a real disadvantage
  • RIA aggregators, custodians, and institutional clients increasingly conduct compliance due diligence — a deficiency record creates friction in those relationships

Firms Already Receiving Citations: What They Have in Common

Based on examination findings from the current cycle, firms receiving Reg S-P deficiency citations share a recognizable profile:

  • They have some documentation — the problem is not total absence of compliance effort, it is inadequate or incomplete documentation
  • Their IRP exists but is not firm-specific — it reads like a template because it is one
  • Their vendor oversight program is described in policy but not implemented in practice — no signed addenda
  • Their recordkeeping practices are inconsistent — documents exist, but are not organized for retrieval and lack version history
  • They completed a compliance exercise once and treated it as permanent — no evidence of annual review or update

The SEC is not giving partial credit for effort. The documentation either satisfies the examiner or it does not.

What “Exam-Ready” Actually Looks Like in Practice

An exam-ready RIA firm approaches an examination with a compliance file that can be produced on demand. That file contains:

The IRP Package

  • Current IRP with version history showing adoption date and all subsequent revisions
  • Evidence of annual review — at minimum a documented review conversation or principal sign-off
  • If the firm has never had an incident: a note in the file confirming that, with the date it was last confirmed
  • Training or acknowledgment records showing that responsible individuals know the plan exists and understand their roles

The Vendor Oversight File

  • Written Vendor Oversight Policy
  • Complete vendor register identifying all covered service providers
  • Signed 72-hour notification addenda for each covered vendor — physically or electronically signed, with dates
  • Documentation of annual vendor review — even a logged conversation qualifies if it is documented
  • For each vendor: their current security policy or SOC 2 report, or documentation of why it was not available

The Privacy and Notification Package

  • Current privacy notice with evidence of client delivery
  • ADV Part 2B cross-reference showing consistency between the two documents
  • Written 30-day notification procedure with a pre-drafted notification template

The Recordkeeping Structure

  • Written recordkeeping framework with specific retention schedules
  • Organized storage with clear folder structure and file naming conventions
  • The ability to locate and produce any compliance document within 30 minutes of a request

The Timeline: Why June 3, 2026 Is Not Your Buffer Date

Getting compliant from scratch takes time: developing the five required documents, approaching every covered vendor with an addendum and waiting for signatures, updating your ADV if necessary, organizing your recordkeeping structure, and documenting the process. For a solo or small RIA, this is a three-to-six-week project executed with focus.

After documentation is complete, the firm needs an implementation period before an exam. A plan signed last week does not look as credible as a plan with six months of operating history. Annual review documentation from one year ago looks better than a plan that has never been reviewed.

Examiners are scheduling examinations now. If your exam happens before June 3 and your firm cannot demonstrate meaningful Reg S-P readiness, you will receive deficiency comments. If your exam happens after June 3 and you are not compliant, you will receive a deficiency letter. The June 3, 2026 deadline is not a buffer — it is the outer boundary of an exposure window that is already open.

The Practical Takeaway

The 2026 SEC examination priorities are not a surprise. The amended Reg S-P rule was published in 2023. The compliance deadline for small firms has been known since the rule was finalized. Examiners are now arriving at firms expecting to see documentation that was supposed to have been in development for over a year.

For firms just starting: act now, not in May 2026. For firms with some documentation but uncertainty about sufficiency: get a second opinion from someone who knows what examiners are actually checking. For firms confident in their compliance posture: make sure your recordkeeping can prove it under examination conditions.

The difference between a clean examination and a deficiency letter is almost always documentation quality and completeness, not intent or effort. Examiners cannot evaluate your intentions. They can only evaluate what you put in front of them.

The SEC has explicitly named Reg S-P incident response plan readiness as a 2026 exam priority. See what exam-ready compliance documentation looks like.

MrFixItGeeks.com provides a complete Reg S-P compliance package with all 5 required documents — built for exam readiness, not just technical compliance. Attorney-reviewed, firm-specific, and delivered in 3 business days.

Get your Reg S-P compliance package at mrfixitgeeks.com/reg-sp-compliance

Share: