Regulation S-P — the binding one
The SEC amended Regulation S-P in 2024, and the compliance dates have now passed for firms of every size. If you’re a registered investment adviser or broker-dealer, you are required today to have:
- A written incident response program — how you detect, respond to, and recover from unauthorized access to customer information.
- Customer notification within 30 days of determining that sensitive customer information was, or is reasonably likely to have been, accessed without authorization.
- Oversight of service providers who hold your customer data, with contractual assurances they’ll notify you of breaches.
“We’d figure it out if it happened” is no longer a legal position.
The proposed adviser cyber rule
The SEC has also proposed a dedicated cybersecurity risk-management rule for advisers and funds — written cybersecurity policies and procedures, periodic risk assessments, and confidential incident reporting to the Commission. It remains a proposal, but its substance mirrors what examination staff already ask for. Building the program now is cheaper than building it under a compliance deadline later.
The layer that was always there
- Rule 17a-4 / books-and-records: electronic records kept in compliant archives — the WORM/audit-trail requirements many “compliant” archive configurations quietly fail.
- FINRA 3110 and 4370 (for broker-dealers): supervision and business-continuity obligations, checked at every exam.
- Regulation S-ID: identity-theft red-flag programs.
What examiners actually request
Recent exam sweeps ask for the same core set: your written cybersecurity policies, your latest risk assessment, incident response procedures (and any incident history), MFA and access-control evidence, vendor due-diligence records, and proof your archive is configured the way your compliance manual claims. Firms fail not on sophistication but on documentation — the program exists in practice but not on paper, or on paper but not in practice.
How Z1 helps
We deliver the technical half of the program for RIAs on the 680 corridor: exam-ready documentation, Rule 17a-4 archive validation in writing, 24/7 monitoring that makes your incident-response procedures real, and a vCISO who sits across from the examiner with you — working alongside your compliance consultant, not around them.
Our gap analysis for advisory firms reviews your written policies and archive configuration against the rule text and gives you the findings in writing — either confidence or a fix list, both worth having before an exam letter arrives.