Reg S-P Exam Readiness: What Advisers Need to Know

The U.S. Securities and Exchange Commission (SEC) recently hosted a Compliance Outreach webinar focused on the amended Regulation S-P, offering advisers a clearer view into how exam teams will assess compliance with the new requirements. Of particular interest was the initial document request list examiners may use during upcoming examinations. Registered investment advisers (advisers) should expect examiners to ask not only whether policies exist, but whether they are documented, followed, and actively monitored.

Below, we break down what advisers can expect to see on a Reg S-P request list and where firms should focus their preparation efforts.

Information Security & Regulation S-P Documentation

Under the amended rule, advisers must demonstrate that they have implemented safeguards to protect customer information. During an exam, SEC staff may request:

• Written information security policies and procedures: Document administrative, technical, and physical safeguards, including incident response and third-party oversight.
• Agreements with IT and managed service providers: Maintain contracts that align with Reg S-P requirements, including incident notification and data protection obligations.
• Documented cybersecurity risk assessment: Identify technology and cybersecurity risks, threats, vulnerabilities, and related controls.

Incident Response Materials

A major focus of the Reg S-P amendments is how advisers prepare for and respond to unauthorized access or use of customer information. As part of an exam, firms may be asked to provide:

• Incident Response Plan (IRP): Documentation of how incidents are detected, contained, remediated, escalated, and reported.
• Defined response roles: Internal teams, service providers, and third parties responsible for incident response.
• Monitoring and detection tools: Inventory of systems used to detect cybersecurity events or suspicious activity.
• Ongoing monitoring evidence: Reports showing continuous monitoring of systems, networks, and user activity.
• Incident response records: Actions taken to follow incident response procedures for any security incidents.

Data Mapping & Risk Assessment

Another area of examiner focus is understanding how customer information flows through the organization. Advisers may be asked to provide documentation supporting cybersecurity risk assessments, data mapping efforts, and controls tied directly to identified risks. This is an area where many firms have informal practices and limited documentation, a gap that can become apparent during an exam.

What Advisers Should Do Now to Prepare

The SEC’s webinar reinforces an important message: Reg S-P compliance is now an exam priority. Advisers should take proactive steps, including:

• Reviewing and updating written information security and incident response policies
• Confirming service provider agreements align with Reg S-P requirements
• Formalizing cybersecurity risk assessments and data mapping
• Ensuring monitoring and incident response activities are documented and repeatable

How Petra Can Help

Meeting the amended Reg S-P requirements requires coordination across compliance, operations, technology, and vendor management. Petra Funds Group works closely with private fund advisers to translate regulatory expectations into practical, exam-ready solutions.

Our team supports firms by assessing existing cybersecurity and data privacy frameworks against Reg S-P standards, updating and documenting incident response and information security programs, reviewing service provider oversight and contractual requirements, and helping prepare Reg S-P documentation for SEC examinations.

With deep industry knowledge and a hands-on approach, Petra helps advisers not only meet regulatory requirements but also build stronger, more resilient compliance infrastructures.

Learn more about Petra’s regulatory compliance services here.