First Regulation S-P Examinations Arrive

The SEC has begun conducting examinations focused on the amended Regulation S-P requirements. During June, we assisted a client that received what appears to be one of the first Reg S-P focused examinations following the June 3 compliance date for smaller investment advisers.

One examination does not establish a trend. But several characteristics suggest this may represent part of a broader examination initiative. Most notably, the exam is being led by a member of the SEC’s Technology Controls Program, and the request list focuses almost exclusively on cybersecurity governance, privacy, vendor oversight, and implementation of the amended Reg S-P requirements.

One feature of the exam is the SEC’s request to interview the individual most familiar with the firm’s IT infrastructure. Depending on the firm’s operating model, that individual may be an internal technology employee or the firm’s managed service provider. Expect SEC staff to discuss technical controls directly with whoever maintains the firm’s technology environment.

What the Request List Tells Us

The request seeks substantially more than written policies and procedures. Staff requested documentation on governance, cybersecurity responsibilities, vendor oversight, incident response, compliance testing, privacy notices, cybersecurity risk assessments, annual compliance reviews, and records demonstrating that the firm’s cybersecurity program operates in practice.

Regulation S-P Readiness

Advisers should consider whether they could readily produce documentation on:

  • Cybersecurity governance
  • Technology oversight
  • Risk assessments
  • Incident response
  • Vendor due diligence
  • Privacy notices
  • Compliance testing
  • Operational implementation of Reg S-P

Takeaways

  • Regulation S-P examinations have begun.
  • One early examination was led by the SEC’s Technology Controls Program.
  • The SEC requested interviews with the individual most familiar with the firm’s technology environment.
  • Early requests focus on governance, vendor oversight, documentation, and implementation.
You May Also Like