As smaller firms comply with the Securities and Exchange Commission’s changes to Regulation S-P, experts are warning reps to ensure their incident response plans for cybersecurity events are up to date and workable.
The Reg S-P changes were passed in late 2024, which updated (and expanded) firms’ responsibilities for safeguarding consumer data. Firms with over $1.5 billion in managed assets had a Dec. 3, 2025, compliance date, while firms below the threshold face a deadline this week, on June 3.
Among the changes are requirements to update incident response programs, a 30-day requirement for consumer notification, and a 72-hour deadline for vendors to inform RIAs of cyber incidents.
In a discussion with Wealth Management, Michael Cocanower, the founder and CEO of RIA IT consulting firm itSynergy, said responses from clients about the Reg S-P ran the gamut from complete preparedness to total surprise. According to Cocanower, RIAs’ backup and disaster recovery/business continuity plans did not serve as replacements for an incident response plan, which details how a firm will respond to a cybersecurity attack, and he said RIAs had complained that there was little guidance available on how to craft such a plan.
Additionally, Cocanower worried that too many IRPs were being drafted by an attorney solely to “check the regulatory box,” which he warned would be “completely useless” in a cyber incident.
“I’m seeing that disconnect where they check the box, and I go, ‘Great, you did check the box, I agree,’” he said. “But in terms of this being a useful document during a cybersecurity incident, it’s not even close.”
The changes in service provider oversight are particularly notable, with advisors now required to demonstrate ongoing oversight rather than a single review at vendor onboarding.
Mark Gilbert, the CEO and co-founder of Zocks, an AI assistant tool for advisors, said advisors should view vendors’ willingness (or lack thereof) to discuss client data handling as a telling sign for whether they are a good fit. Additionally, the 30-day consumer notification mandate makes it essential for firms to know what data they have, where it is, and what it has touched.
“If you don’t have a current map of your data flows, you can’t realistically notify affected clients within 30 days of a breach, because you won’t even know who was affected or what was exposed,” Gilbert said.
According to Max Schatzow, a partner with RIA Lawyers, the rule requires advisors to obtain “reasonable assurances” from service providers that those vendors are properly protecting client information and will notify the firm within 72 hours of a breach. However, advisors and vendors are struggling to define “reasonable assurances,” and advisors are still struggling to document compliance before the deadline.
“Some service providers are resisting these requests by arguing that they do not fall within the rule’s definition of a service provider, while others are simply not responding to advisors seeking contractual or written assurances,” Schatzow said.
Lori Weston, the head of compliance for STP Investment Services, affirmed that advisors were having trouble getting “clear vendor commitments” to meet the 72-hour deadline, so firms are resorting to other solutions to get compliant, “including contractual terms, vendor certifications, and in some cases, negative consent.”
Weston agreed with Gilbert, stressing that firms need to be able to locate consumer information in the event of a cybersecurity incident, including if that data flows toward service providers (and their third-party systems).
Chief compliance officers “can’t assume their IT staff or (managed security service provider) will handle the breach,” she said. “They need to understand the incident response plan and have a plan for orchestrating it.”
For Cocanower, small and mid-size firms are particularly vulnerable because they continue to focus on prevention rather than on detecting threats when they occur, as threats will be too overwhelming and sophisticated for firms to evade every time.
“The bad guys are going to get in. So, the issue is, in order for you to be able to provide a 30-day notice or a 72-hour notice, you have to equally prioritize the detection and the response, and not just the prevention,” he said. “Because prevention alone is not going to do it.”
