Blog - Latest News

You are here: Home / Case Study / SEC Reg S-P: 30-Day Countdown Checklist for DFW RIAs

SEC Reg S-P: 30-Day Countdown Checklist for DFW RIAs

By DKBinnovative Team | Published: May 5, 2026 | Last updated: May 5, 2026 | Reviewed by Peter Bertran, Chief Client Officer

The SEC’s amended Regulation S-P compliance deadline for smaller registered investment advisers is June 3, 2026. As of today, that is 30 days away.

If your DFW RIA has regulatory assets under management below $1.5 billion, you fall in the smaller-entity bucket and the deadline applies. Larger RIAs were required to comply on December 3, 2025. Examiners are using the larger-entity deadline as their baseline expectation when they walk into smaller-firm exams from June onward, which means — for practical purposes — June 3 is when “do you have a documented Reg S-P incident response program?” stops being a question and starts being a finding.

This post is a tactical 30-day countdown checklist. It does not replace counsel. It does provide the operational sequence DKBinnovative uses to bring DFW investment advisers from “unsure where we stand” to “documented, tested, and board-attested” inside the available window. For the broader background on the rule itself, see our SEC Reg S-P deadline overview.

Quick Navigation

Key Takeaways

  • The deadline is June 3, 2026 for smaller RIAs (under $1.5B regulatory AUM). Larger RIAs were due December 3, 2025.
  • The headline new rule: notify affected individuals of a customer-information breach within 30 days of becoming aware.
  • Five amendment areas require documentation: incident response program, customer notification, service-provider oversight, recordkeeping, and an expanded scope of “customer information.”
  • Service-provider obligations bite hardest. Vendor contracts must include a 72-hour incident notification clause; due diligence and ongoing monitoring must be documented.
  • The Division of Examinations published Reg S-P as a 2026 examination priority. Most RIAs will be inspected on this within 12 months of the deadline.
  • 30 days is enough if the firm sequences it correctly. DKBinnovative’s compressed Reg S-P readiness sprint lands documented, tested, board-attested in the window.

Why This 30-Day Window Matters

The SEC adopted amendments to Regulation S-P on May 16, 2024 (SEC press release). The amendments became effective in August 2024 with staggered compliance dates: larger entities had until December 3, 2025; smaller entities have until June 3, 2026.

For RIAs, “smaller” means less than $1.5 billion in regulatory assets under management. Most boutique and mid-market RIAs in Plano, Frisco, Irving, Dallas, and Fort Worth fall below that threshold, which means the June 3, 2026 deadline applies to the bulk of the DFW RIA community.

The Division of Examinations published Reg S-P as a 2026 examination priority. RIAs that fail to demonstrate a documented incident response program, tested service-provider oversight, and trained personnel will face deficiency letters at minimum and enforcement referrals in cases of egregious gaps. Remediation under an enforcement order is materially harder and slower than getting it right in the next 30 days, and the reputational damage of a public deficiency is borne by every client conversation that follows.

What the Amended Reg S-P Actually Requires

The amendments touch five areas. Every checklist item later in this post traces back to one of these five.

1. Written incident response program

RIAs must adopt and maintain written policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The program must address roles, escalation, containment, eradication, recovery, and post-incident review. The SEC does not prescribe a specific framework, but examiners expect alignment with NIST Special Publication 800-61 or comparable industry standards.

2. Customer notification within 30 days

When sensitive customer information has been or is reasonably likely to have been accessed or used without authorization, the RIA must notify affected individuals as soon as practicable, but not later than 30 days after becoming aware of the incident. The notice must describe the incident in general terms, identify the type of information involved, describe the firm’s protective actions, and provide contact details for further information. There is a narrow law-enforcement delay exception.

3. Service-provider oversight

RIAs must oversee their service providers (custodians, fund administrators, RIA tech vendors, IT providers, marketing platforms, anything touching customer data) through written policies. Required elements include due diligence prior to engagement, ongoing monitoring, and contractual obligations requiring the service provider to notify the RIA of unauthorized access “as soon as possible but not later than 72 hours” after becoming aware of an incident. The 72-hour vendor-side notification is a contract requirement — meaning every existing vendor agreement needs language review.

4. Recordkeeping

Records of the incident response program, written policies and procedures, due diligence and monitoring of service providers, and copies of customer notifications must be maintained for the periods specified in the Investment Advisers Act recordkeeping rule (typically five years, with the first two years easily accessible). Recordkeeping is the lever examiners pull first — missing records is the cleanest deficiency to write up.

5. Expanded scope of customer information

“Customer information” now explicitly includes nonpublic personal information received from another financial institution — for example, custodial data passed through to the RIA from the broker-dealer, or data shared between affiliated investment companies. The protection obligation no longer stops at “your” customers; it extends to any customer information in your possession.

Days 30–22: Inventory and Gap Assessment

Week 1 is discovery. You cannot remediate a gap you have not yet found. The objective by end of day 22 is a written gap register: every required control, current state, target state, owner, and due date.

The Week 1 checklist

  1. Day 30: Convene the Reg S-P working group. CEO/CCO, CTO or IT lead, MSP partner, outside counsel, and at least one operations principal. Calendar four 60-minute working sessions over the 30 days.
  2. Day 29: Inventory all systems that store, process, or transmit customer information. Include CRM, custody portal logins, file servers, email archive, document portal, e-signature service, marketing email platform, financial planning tools, and any cloud storage with client documents.
  3. Day 28: Inventory all service providers with logical access to customer information. Custodian, portfolio accounting, CRM vendor, IT/MSP, document storage, financial planning software, marketing automation, e-signature, performance reporting, and any TAMP or sub-adviser feed.
  4. Days 27–25: Run a written gap assessment against the five amendment areas. Use a simple matrix: requirement, current state, gap, owner, target date.
  5. Day 24: Pull every active service-provider contract. Flag those without an incident notification clause that meets the 72-hour requirement.
  6. Day 23: Map data flows. Who receives customer information from your firm; who sends customer information to your firm. The expanded-scope obligation lives in this map.
  7. Day 22: Working group review. Sign off on the gap register. Lock priorities for Week 2.

Days 21–15: Policies and Controls

Week 2 is the heaviest writing week and the heaviest implementation week. The objective by end of day 15 is a complete written incident response program and the technical controls referenced in it operating in production. If technical gaps exist that cannot be remediated by day 15, document them with a written mitigation plan and target completion date.

The Week 2 checklist

  1. Day 21: Draft the written incident response program. Sections: scope, definitions, roles and responsibilities, detection, classification, escalation, containment, eradication, recovery, customer notification, regulator notification, post-incident review, recordkeeping. Align with NIST SP 800-61.
  2. Day 20: Draft the customer notification template. Include the SEC’s required content elements (general description, information types involved, firm’s response, contact information). Run by counsel for state-law layering — Texas Business and Commerce Code chapter 521 may add notification recipients beyond the federal floor.
  3. Day 19: Implement or confirm phishing-resistant MFA on every system in the inventory from Week 1. Microsoft Entra ID with conditional access policies is the standard configuration for DFW RIAs in the Microsoft 365 ecosystem.
  4. Day 18: Implement or confirm EDR/MDR coverage on every endpoint touching customer information. Partial deployment is a deficiency; coverage must be universal. See our cybersecurity services overview for the standard deployment scope.
  5. Day 17: Confirm centralized logging is operational and retains at least 12 months of authentication, access, and security events. Without logs, post-incident review cannot satisfy the recordkeeping rule.
  6. Day 16: Confirm encrypted backups with tested restore. The incident response program references recovery; recovery without a tested backup is a paper exercise.
  7. Day 15: Working group review. Approve the written program. Identify any remaining technical gaps and assign an owner with a Week 3 due date.

Days 14–8: Documentation and Vendor Due Diligence

Week 3 is the documentation week that examiners care about most. The objective by end of day 8 is a complete written record of the program, the controls, the vendor reviews, and the contract amendments.

The Week 3 checklist

  1. Day 14: Document every service provider in the inventory. For each: services rendered, data accessed, due-diligence evidence (SOC 2 Type II report, ISO 27001 certificate, security questionnaire response), date of last review, next review date.
  2. Day 13: Issue contract amendment requests to every service provider whose agreement lacks the 72-hour incident notification clause. Use a standard rider; do not negotiate from scratch.
  3. Day 12: Document the data-flow map produced in Week 1. Diagram form is acceptable; narrative form is acceptable; both is better.
  4. Day 11: Document the technical controls referenced in the incident response program: MFA configuration, conditional access policies, EDR/MDR deployment scope, log retention configuration, backup configuration, restore test results.
  5. Day 10: Document the training plan for personnel and the schedule for the next 12 months. Reg S-P does not prescribe a frequency; quarterly security awareness with phishing simulation is the practical floor for RIAs.
  6. Day 9: Document the recordkeeping locations: where the program lives, where the gap register lives, where vendor due diligence lives, where notifications would be filed. Examiners ask for the file; the file should exist before they ask.
  7. Day 8: Working group review. Sign off on the documentation package. Lock the agenda for Week 4 testing.

Days 7–0: Testing, Training, and Attestations

Week 4 is where the program becomes real. Documentation that has not been tested is hopeful. The objective by June 3, 2026 is a tested, trained, board-attested program ready to defend in any examination from day one of the new regime.

The Week 4 checklist

  1. Day 7: Run a 90-minute tabletop exercise. Scenario: a vendor reports unauthorized access to customer information at 6 p.m. Friday. Walk through detection, classification, escalation, customer notification timing, regulator notification, recordkeeping. Document the exercise and findings.
  2. Day 6: Train all employees on the incident response program and reporting expectations. Capture attendance and a brief comprehension check.
  3. Day 5: Train all employees on Reg S-P customer-information handling: clean desk, no email forwarding to personal accounts, proper disposal, vendor escalation pathway.
  4. Day 4: Verify all service-provider contract amendments are signed or have a written commitment date. Document any that are still outstanding and the firm’s mitigation plan.
  5. Day 3: Final documentation review by counsel and CCO. Address any feedback.
  6. Day 2: Board or principals’ meeting. Present the program, the gap remediation, the tabletop findings. Capture attestation in meeting minutes.
  7. Day 1: Distribute the program internally. File copies in the recordkeeping location. Confirm the next review date is on the calendar.
  8. June 3, 2026: Compliance date. Documented, tested, attested.

The 30-Day Breach-Notification Trigger

The customer-notification rule is the headline change in the amended Reg S-P, and the one most likely to generate enforcement attention in the first year. The mechanics matter.

What triggers notification. Sensitive customer information has been, or is reasonably likely to have been, accessed or used without authorization. The trigger is access, not just exfiltration; reasonable likelihood, not confirmed certainty.

When the 30-day clock starts. The RIA becomes aware of the incident. “Aware” is interpreted broadly; awareness by an MSP serving as the RIA’s IT function is awareness by the RIA. The clock does not wait for forensic completion.

Who must be notified. Each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization — including individuals whose information is in the RIA’s possession because it was received from another financial institution.

What the notice must contain. A general description of the incident, the type of information involved, what the firm has done to protect against further unauthorized access, contact information for further inquiry, and a reminder of the customer’s ability to take protective steps.

The narrow exception. A law-enforcement officer may submit a written request stating that notification poses a substantial risk to a criminal investigation or to national security; in that case the firm may delay for up to 30 days, with extensions possible. This is the only delay basis available.

In practice, the 30-day clock means the incident response program must produce a customer-notification decision within roughly 14 days of awareness, leaving the back half of the window for forensic confirmation, counsel review, and physical mailing or email distribution. Programs that wait for forensic certainty before drafting notifications miss the deadline.

Common Final-Stretch Mistakes

DKBinnovative has shepherded enough DFW RIAs through Reg S-P to see the same errors repeat in the final 30 days. Avoid these.

Treating the program as a checklist instead of a system

The written program is the artifact, not the goal. The goal is a system that detects, escalates, contains, recovers, and notifies. RIAs that rush a binder to satisfy June 3 and never test it find out during a real incident that the binder was a fiction. Run the tabletop. Capture the findings. Update the program.

Skipping vendor contract amendments

The 72-hour vendor incident-notification clause is contractual. RIAs that skip it because “we trust our vendors” carry the regulatory risk personally. Send the rider; track signatures; document holdouts and your mitigation plan.

Forgetting the expanded scope

Customer information now includes data received from other financial institutions. Custodial feeds, fund-administrator outputs, sub-adviser data, and TAMP integrations all carry the same protection obligation as data your clients hand you directly. Inventory must reflect this.

Relying on the MSP without confirming controls in writing

Examiners do not accept “our MSP handles that” as evidence. They accept written policies, configuration documentation, and audit logs. If your MSP does not produce these as a deliverable, you do not have what examiners require — regardless of what the MSP is actually doing in production.

Skipping the board attestation

Reg S-P does not mandate board attestation by name, but examiners look for evidence that the firm’s leadership reviewed and approved the program. Capture the attestation in board or principals’ meeting minutes. It is the cleanest and most credible evidence available.

Treating customer notification as a legal exercise instead of a communication exercise

Counsel drafts the notification language; the RIA delivers it to clients. Pre-build the delivery path: addresses on file, email channels confirmed, mailing house identified, internal communications draft for the week the notice goes out. The 30-day clock is a logistics deadline as much as a legal one.

How DKBinnovative Closes the Gap in 30 Days

DKBinnovative has served DFW investment advisers since 2004. Compliance-driven onboarding is the standard path for our investment-firm clients, not an exception. The 30-day Reg S-P readiness program is built on the operational pattern that gets RIAs from “unsure where we stand” to “documented, tested, board-attested.” See our managed IT services for DFW professional firms for the full scope of the engagement.

A 24/7 in-house Security Operations Center

DKBinnovative operates a 24/7 in-house SOC based in DFW. EDR/MDR coverage, identity threat detection, and human analyst triage operate continuously. Detection and escalation — the first half of any incident response program — come standard, not as an upsell.

Compliance documentation as a deliverable

Written policies, configuration evidence, audit logs, vendor due-diligence files, training records, and tabletop exercise documentation are produced as a standard deliverable for investment-firm clients. Examiners ask for files; the files exist.

vCIO and vCISO leadership

A vCIO and vCISO are assigned to every investment-firm engagement as a standard deliverable. Quarterly reviews align the security and compliance program to the firm’s exam calendar, AUM trajectory, and operational changes. The Reg S-P program is reviewed every quarter, not once at adoption.

A compressed 30-day onboarding when the deadline demands it

Standard DKBinnovative onboarding is 45 to 90 days. For RIAs in the final 30 days before a regulatory deadline, the engagement is compressed to a four-week sprint mirroring this checklist: Week 1 inventory and gap assessment, Week 2 policies and controls, Week 3 documentation and vendor work, Week 4 testing and attestation. The full program is not delivered in 30 days; the regulatory minimum is.

DFW presence, investment-firm fluency

DKBinnovative engineers and vCIOs work on-site in Plano, Frisco, Irving, Dallas, and Fort Worth. The firm has served DFW investment advisers, broker-dealers, and family offices through multiple SEC examination cycles since 2004. The questions examiners ask in 2026 are familiar; the documentation that satisfies them is in the standard playbook.

By the Numbers

Frequently Asked Questions

When is the SEC Reg S-P compliance deadline for smaller RIAs?

The compliance deadline for smaller registered investment advisers is June 3, 2026. “Smaller” means less than $1.5 billion in regulatory assets under management. Larger entities (RIAs at $1.5 billion or more) had until December 3, 2025.

Does Reg S-P require the SEC to be notified of a breach?

The amended Reg S-P does not impose a direct SEC notification requirement on RIAs for customer-information incidents. The 30-day notification obligation runs to affected individuals, not to the SEC. RIAs may have separate disclosure obligations under the Advisers Act fiduciary duty and Form ADV update rules if an incident is material to the firm or its clients, and broker-dealers face overlapping FINRA Rule 4530 reporting obligations.

What is the 72-hour rule under Reg S-P?

There is no 72-hour rule directly applied to RIAs under Reg S-P. The 72-hour requirement is contractual: RIAs must include language in their service-provider agreements requiring the service provider to notify the RIA of unauthorized access “as soon as possible but not later than 72 hours” after becoming aware of an incident. The clock that runs against the RIA is the 30-day customer-notification clock.

Does Reg S-P apply to firms not based in Texas?

Yes. Reg S-P is a federal regulation applicable to all SEC-registered investment advisers, broker-dealers, investment companies, funding portals, and transfer agents regardless of state. State-law breach notification rules (in Texas, Business and Commerce Code chapter 521) layer on top of the federal floor and may add notification recipients, content requirements, or shorter timeframes.

Can an RIA satisfy Reg S-P by relying entirely on its MSP?

No. The regulatory obligation rests on the RIA. The RIA may delegate execution to an MSP, but the RIA must own the written program, oversee the MSP as a service provider, document the controls in writing, and produce records for examiners. An MSP that runs strong controls without documenting them in a form the RIA can hand to examiners leaves the RIA unable to demonstrate compliance.

What records must an RIA keep under amended Reg S-P?

An RIA must keep written copies of the incident response program, the policies and procedures for service-provider oversight, evidence of due diligence on each service provider, copies of contracts containing the required incident notification clause, copies of any customer notifications sent, training records, and post-incident review documentation. Records are subject to the Investment Advisers Act recordkeeping rule, generally five years with the first two years easily accessible.

What happens if an RIA misses the June 3, 2026 deadline?

The Division of Examinations can issue a deficiency letter requiring remediation, refer matters of egregious noncompliance to the Division of Enforcement, and in serious cases impose fines, censures, or registration consequences. The most common immediate consequence is the deficiency letter and a follow-up examination. Most RIAs that miss the deadline can remediate in good faith if they have a documented plan; RIAs without a plan are at the highest risk.

How does DKBinnovative help DFW RIAs prepare for Reg S-P?

DKBinnovative delivers a four-week Reg S-P readiness program built on this checklist: Week 1 inventory and gap assessment, Week 2 policies and controls, Week 3 documentation and vendor due diligence, Week 4 testing, training, and board attestation. The 24/7 in-house SOC handles detection and response; the vCISO program owns the written program; the vCIO program reviews quarterly. Compliance documentation is produced as a standard deliverable, not an add-on. Call (888) 352-4832 or visit our contact page to request a 30-day readiness assessment.

Get a 30-Day Reg S-P Readiness Assessment

If your DFW RIA has not yet completed Reg S-P readiness, DKBinnovative will run a no-obligation gap assessment against the five amendment areas and produce a written 30-day work plan. Standard turnaround is five business days from kickoff.

Call (888) 352-4832 or request a readiness assessment. We have served DFW investment advisers since 2004 and have shepherded firms through every major SEC and FINRA cybersecurity rule change in that period.

This post is operational guidance, not legal advice. Reg S-P interpretation should be confirmed with counsel.

Serving the DFW Metroplex

Ready to Transform your Tech?

Trust DKBinnovative to safeguard your IT systems and secure your business in today’s ever-evolving digital landscape.

Learn More

Sales Number
(888) 295-0677

Support Number
(888) 352-4832

Services

Cybersecurity
Managed IT Services
Cloud Computing
Co-Managed IT
IT Consulting
Dev-Ops

Solutions

Technology Sourcing
Connectivity & Network
Data Center
Unified Communications
Secure AI Strategy

Locations

Headquarters: Frisco
1701 Legacy Dr, #1450
Frisco, TX 75034
(214) 441-6726

Irving
7301 State Hwy 161 Ste 148
Irving, TX 75039
(972) 573-5994

Plano, TX
1400 Preston Rd STE 400
Plano, TX 75093
(214) 473-5353

(888) 352-4832
[email protected]

1701 Legacy Dr, #1450
Frisco, TX 75034

Serving the DFW Metroplex

How SMB Leaders Choose Managed IT for Secure Hybrid and Remote Work in 2026Managed IT Solutions ROI: The KPI Framework for Productivity, Uptime, and S...