Regulation S-P Readiness Checklist

What's inside

The SEC's 2024 amendments to Regulation S-P impose new written program requirements, a 30-day customer notification obligation, and a 72-hour vendor breach notification expectation. This checklist covers seven compliance areas so you can identify gaps before they surface in an examination.

Data Awareness and Mapping

Confirm you know where all customer information lives, including data held by third-party providers.

Written Incident Response Program

Verify you have a documented plan to detect, contain, and recover from unauthorized access to customer data.

Breach Notification Preparedness

Assess whether you can meet the 30-day customer notification requirement when it counts.

Service Provider Oversight

Review vendor contracts for enforceable 72-hour breach notification language.

Policy and Procedure Updates

Confirm your written policies reflect the expanded scope of the amended rule.

Documentation and Recordkeeping

Ensure you can demonstrate compliance, not just claim it.

Testing and Employee Training

Verify controls are tested in practice and staff know how to recognize and report incidents.

Who Should Use This Checklist

This checklist is designed for registered investment advisers with less than $1.5 billion in assets under management, smaller broker-dealers, investment companies, funding portals, and transfer agents with a June 3, 2026 compliance deadline. If your firm is already under examination pressure, this is a useful starting point for a more formal gap assessment.

Download the Checklist

Free. The PDF downloads immediately after you submit.

Something went wrong. Please try again.

Name

Work Email

Firm Name

STACK won't sell or share your information. We may follow up to see if we can help.

Your download is starting

If it doesn't start automatically, use the button below.

Download Again

Find gaps in the checklist? We can help.

Schedule a Gap Assessment

Find a gap you can't close on your own?

STACK can walk through the checklist with you and help build the documentation, incident response plan, and vendor oversight process the SEC expects to see.