With the June 3, 2026 compliance deadline now in effect for smaller firms, Regulation S-P has become one of the most discussed compliance topics across the financial services industry. To help firms better understand the amended requirements and what regulators may expect moving forward, Quest CE partnered with Salus GRC for a webinar on “Reg S-P Is Here: What Firms Need to Known“, featuring Allison Byrne, Director of Sales and Marketing at Quest CE, and Jacob Cane, Chief Information Security Officer & Head of Cyber Services at Salus GRC. 

The conversation covered everything from incident response planning and vendor oversight to examination readiness and the growing role of employee awareness in cybersecurity. Below is a recap of key questions and takeaways from the discussion.

Below is a recap of the key questions and insights from the conversation.

Q: What actually changed under the amended Reg S-P rule?

Key takeaway: The amendments move several cybersecurity expectations from guidance to explicit requirements. 

One of the biggest themes discussed during the webinar was the shift from broad cybersecurity guidance to more prescriptive obligations. The amended rule introduces specific requirements around incident response planning, breach notification, and third-party service provider oversight.  

Some of the most significant changes include: 

  • Formal incident response planning requirements  
  • Defined breach notification expectations  
  • Increased oversight of third-party service providers  
  • Clearer documentation and governance obligations 

Q: Who should own Reg S-P compliance within a firm?

One recurring theme throughout the discussion was that effective compliance depends on collaboration. While compliance often serves as the primary coordinator, successful implementation requires involvement from IT, operations, leadership, legal counsel, and risk management teams. 

The panel emphasized the importance of clearly documenting roles and responsibilities before an incident occurs. When a cybersecurity event happens, firms should already know who is responsible for managing communications, engaging legal counsel, contacting insurers, and coordinating internal response efforts. 

Rather than treating cybersecurity as a standalone function, firms should view Reg S-P as a cross-functional compliance initiative that requires alignment across multiple departments. 

Q: Why is vendor oversight creating so many challenges for firms? 

Key Takeaway: Vendor oversight is no longer a one-time exercise—it requires ongoing monitoring and documented due diligence. 

Third-party vendor oversight emerged as one of the most common pain points discussed during the webinar. The challenge is not only identifying which vendors fall within scope, but also determining how much diligence is appropriate and who within the organization is responsible for conducting it. 

Many firms find themselves at opposite ends of the spectrum. Some are reviewing too few vendors, while others attempt to evaluate every vendor relationship with the same level of scrutiny. Neither approach is ideal. 

Areas firms should evaluate include: 

  • Which vendors have access to customer information 
  • Breach notification expectations 
  • Ongoing due diligence procedures 
  • Documentation supporting oversight decisions 

The discussion also highlighted the importance of obtaining reasonable assurances around breach notification expectations and maintaining ongoing oversight rather than treating due diligence as a one-time exercise. 

Q: Are SOC 2 reports enough?

Key Takeaway: SOC 2 reports can be helpful, but they should not be viewed as a complete vendor oversight strategy. 

SOC 2 reports remain a common component of vendor due diligence programs, but attendees were cautioned against viewing them as a silver bullet. 

While collecting SOC 2 reports can help demonstrate oversight efforts, firms should be prepared to show that they reviewed and evaluated the reports rather than simply storing them in a file. The quality, scope, and depth of SOC 2 reports can vary significantly depending on the provider and the audit performed. 

The conversation also highlighted that many cybersecurity risks extend beyond what may be covered in a SOC 2 report. Firms should consider broader operational and security practices when evaluating service providers rather than relying solely on one document. 

A more effective approach combines SOC 2 reports with ongoing diligence, risk assessments, and periodic reviews of vendor practices. 

Q: What will regulators likely focus on during examinations?

Key Takeaway: Regulators will look for evidence that policies are being followed, not just that they exist. 

Documentation was a recurring theme throughout the webinar. Examiners are expected to look beyond whether a policy exists and focus on whether firms can demonstrate that their procedures are actively implemented and maintained. 

The panel discussed how regulators will likely evaluate not only written policies but also the evidence supporting them. Firms that can demonstrate preparation, oversight, and ongoing review efforts will be in a stronger position during examinations. 

Firms should be prepared to provide: 

  • Updated policies and procedures 
  • Evidence of vendor oversight activities 
  • Incident response documentation 
  • Records of testing and tabletop exercises 

One practical recommendation shared during the discussion was to ensure policies accurately reflect actual practices. Firms can create unnecessary risk when written procedures promise actions that are not consistently performed in practice. 

Q: Why does employee behavior continue to be such a significant cybersecurity risk?

Key Takeaway: Technology is important, but employee awareness remains one of the strongest defenses against cyber threats. 

While much of the conversation focused on policies and procedures, the discussion also highlighted the human side of cybersecurity. 

Many cybersecurity incidents still stem from employee actions, whether through phishing attempts, weak password practices, social engineering attacks, or breakdowns in internal processes. As a result, employee training and awareness programs continue to play a critical role in reducing organizational risk. 

The panel emphasized that cybersecurity awareness should not be treated as an annual compliance exercise. Ongoing education, reinforcement, and practical training can help employees recognize risks before they become incidents. 

Q: How is AI changing cybersecurity and compliance? 

Key Takeaway: AI is making cyber threats more sophisticated, requiring firms to strengthen awareness and controls. 

Artificial intelligence continues to create both opportunities and challenges for financial firms. During the webinar, the discussion focused on how AI is making phishing attempts, impersonation schemes, and social engineering attacks increasingly difficult to identify. 

Traditional warning signs such as poor grammar, unusual phrasing, or obvious inconsistencies are becoming less reliable as AI-generated communications improve in quality. 

As AI capabilities continue to evolve, firms should ensure employees understand both the benefits and risks associated with these technologies. 

Compliance Takeaway: Focus on Preparedness, Not Perfection 

If there was one overarching message from the webinar, it was that firms should focus on preparedness rather than perfection. 

The amended Reg S-P rule raises expectations around incident response, vendor oversight, documentation, and cybersecurity awareness. However, compliance does not require firms to eliminate every possible risk. Instead, regulators are looking for reasonable, well-documented processes that align with a firm’s size, business model, and risk profile. 

Firms should use this time to: 

  • Review incident response plans and notification procedures 
  • Evaluate vendor oversight and due diligence practices 
  • Ensure policies accurately reflect actual operations 
  • Conduct risk assessments and tabletop exercises 
  • Strengthen employee cybersecurity awareness programs 

Organizations that take a proactive, documented approach will be in a stronger position to demonstrate compliance as regulatory expectations continue to evolve.