As firms continue to adapt to the amended Regulation S-P requirements, many compliance professionals are looking for practical guidance on topics such as vendor due diligence, incident response planning, documentation expectations, and cybersecurity oversight. 

To help address some of the most common questions, we’ve compiled answers to frequently asked questions related to Regulation S-P compliance and implementation. 

Keep your firm up to date on Reg S-P with our latest courses that keep your firm compliant.  

Q: Which firms are subject to the amended Regulation S-P requirements? 

The amended Regulation S-P requirements apply to: 

  • Broker-dealers 
  • Registered investment advisers 
  • Investment companies registered under the Investment Company Act of 1940 
  • Transfer agents 

The amendments became effective on December 3, 2025, for larger firms with more than $1.5 billion in assets under management and on June 3, 2026, for smaller firms with less than $1.5 billion in assets under management. 

Q: Should firms notify law enforcement after a cybersecurity incident? 

Regulation S-P does not require firms to notify law enforcement following a cybersecurity incident. However, notification may be appropriate depending on the nature of the event. 

Firms should consider contacting law enforcement when an incident involves: 

  • Fraudulent activity 
  • Unauthorized fund transfers 
  • Ransomware attacks 
  • Other criminal activity resulting in financial loss 

While not mandatory under Regulation S-P, early engagement with law enforcement may assist with investigation and recovery efforts. 

Q: Can AI be used to review SOC 2 reports and vendor due diligence materials? 

Potentially, yes—but firms should not rely solely on AI-generated conclusions. 

As regulators continue to evaluate AI usage across the financial services industry, the focus will likely be less on whether AI was used and more on how it was used. Firms should be prepared to demonstrate a documented review methodology, validation of outputs, and appropriate human oversight. 

For example, regulators may view these approaches differently: 

  • Uploading documents to an AI tool and simply asking whether they are acceptable 
  • Using a defined review framework, validated prompts, documented procedures, and human review of AI-generated findings 

As with traditional due diligence reviews, firms should be able to explain their methodology and document how conclusions were reached. 

Q: Which vendors should be included in a Regulation S-P due diligence program? 

At a minimum, firms should identify service providers that have access to: 

  • Sensitive customer information 
  • Internal IT systems 

These vendors generally fall within the scope of Regulation S-P oversight requirements. 

Many firms choose to expand their review process beyond this minimum threshold and evaluate all service providers with access to sensitive information or critical business functions as part of their broader risk management program. 

Q: How often should firms conduct vendor due diligence reviews? 

Regulation S-P requires ongoing oversight but does not prescribe a specific review frequency. 

In practice, many firms conduct vendor due diligence reviews annually. Others implement a risk-based approach where higher-risk vendors are reviewed more frequently than lower-risk providers. 

For firms with a relatively small number of service providers, annual reviews are often the most efficient approach because they simplify administration and provide a clear, defensible review schedule. 

Regardless of the frequency selected, firms should document their rationale and apply the process consistently. 

Q: What documentation should firms collect from service providers? 

The exact documentation may vary by vendor, but firms commonly collect: 

  • SOC 2 reports 
  • Information security policies 
  • Privacy policies 
  • Incident response plans 
  • Business continuity and disaster recovery plans 
  • Cybersecurity certifications or attestations 

Collecting documentation is only one part of the process. Firms should also review the materials and identify any risks, gaps, or concerns that require follow-up. 

Q: What evidence should firms maintain to demonstrate vendor oversight? 

One of the most common gaps in vendor due diligence programs is documentation of the review process itself. 

Firms should maintain records showing: 

  • What documents were reviewed 
  • How the review was performed 
  • Any risks or concerns that were identified 
  • Follow-up actions taken with the vendor 
  • Final conclusions and approvals 

While some examiners may accept a repository of vendor documentation, firms should be prepared to demonstrate how that information was analyzed and incorporated into their oversight process. 

Compliance Takeaway 

The amended Regulation S-P requirements place increased emphasis on incident response preparedness, vendor oversight, and documentation. While firms have flexibility in how they design their compliance programs, regulators will likely expect a thoughtful, risk-based approach that can be clearly documented and supported during an examination. 

By establishing repeatable processes, maintaining appropriate records, and conducting ongoing oversight, firms can strengthen their ability to demonstrate compliance with the amended rule. 

Want to Learn More About Regulation S-P? 

These questions represent only a portion of the topics discussed during our recent webinar, “Reg S-P Is Here: What Firms Need to Know.” During the session, we explored incident response planning, vendor oversight, examination readiness, cybersecurity awareness, and practical steps firms can take to prepare for the amended requirements. 

Watch the on-demand recording to hear the full discussion and additional insights from Quest CE and Salus GRC.