Playbook: How a $400M+ AUM RIA Should Prepare for an SEC Exam Under the 2024 Reg S-P Amendments

This is a playbook for a scenario we structure engagements around regularly across the Inland Empire. The firm described is a composite — no specific client. The mechanics, controls, and remediation steps are the real engagement structure we use.

Picture a $400M+ AUM registered investment adviser in the Inland Empire — four advisers, one operations manager, one client-service associate, and one part-time compliance consultant who is not employed by the firm. Average client portfolio is high-net-worth individuals and small family trusts.

The firm clears through a major custodian, uses a cloud portfolio-management platform, a CRM, and a client portal for statements and document exchange. M365 for email. Modern laptops issued through the operations manager. No central IT vendor — the platform vendors handle their own platforms and the firm calls a contractor when something breaks.

The triggering scenario: a Reg S-P readiness review by the firm's compliance consultant in preparation for a routine SEC exam scheduled six weeks out. The review identifies three large gaps tied to the 2024 Reg S-P amendments: (1) the firm's incident response plan is a half-page document with no procedures, (2) the firm's written information security program does not document how customer information is actually protected end-to-end, and (3) the customer-notification procedures required by the amendments are not in place at all.

The compliance consultant refers the firm to us to close the technical and documentation gaps in parallel.

Before any remediation, a week of discovery with the operations manager and the compliance consultant is non-negotiable. At a firm this size the picture is almost always the same.

M365 is typically on Business Standard — no Defender, no Conditional Access, no Intune. MFA is on for the advisers and the operations manager, off for the client-service associate. Anti-phishing at default. Advisers all use personal phones for M365 email with no mobile device management.

The portfolio-management platform usually has individual user accounts for the advisers with MFA on, but the operations manager and the client-service associate share an account because the firm wanted to avoid an extra license. The CRM has MFA off across the board because the platform's MFA is a paid add-on the firm has not purchased.

The client portal is provided by the portfolio-management platform. Clients have individual logins with MFA optional; the firm's policy is undocumented and no one knows what percent of clients have it on. The portal hosts statements, performance reports, and ad-hoc documents shared by the advisers.

The custodian relationship has its own login portal with MFA on for the partner-level adviser, off for the rest. The firm has a vendor list on a spreadsheet that is years out of date.

The written information security program is a five-page document an outside consultant drafted when the firm registered with the SEC. It describes "appropriate technical and administrative safeguards" without naming any specific control. The incident response plan is three paragraphs and does not name a vendor list, a notification path, or a designated incident-response lead.

The firm has never been through a security incident. They have also never tested whether they would actually be ready for one.

Mapping a firm like this against the 2024 Reg S-P amendments and against NIST CSF as a reference framework, an audit will typically surface seven gaps that matter:

• Customer-notification procedures for an incident affecting customer information do not exist. The 2024 amendments require covered institutions to notify affected individuals no later than 30 days after becoming aware that customer information has been accessed or used without authorization. At firms this size: no procedure, no notification template, no list of who would draft and approve the notification, no path to coordinate with the firm's E&O carrier and the custodian.
• The written information security program does not document specific controls. A generic "appropriate safeguards" document does not satisfy the amendments' requirement that the program be appropriately designed for the size and complexity of the adviser, the nature and scope of its activities, and the sensitivity of any customer information at issue.
• The incident response plan is not actionable. Three paragraphs with no who/what/when does not survive contact with an actual incident. SEC exam staff have been increasingly explicit that they will test the plan against a hypothetical scenario.
• Shared accounts on the portfolio-management platform violate basic access-control hygiene. Two people sharing a credential cannot be tied to specific actions in the platform's audit log — which means the audit log cannot answer the SEC examiner's question "who accessed this client's account on this date."
• MFA is inconsistent across the vendor stack. Custodian portal, CRM, portfolio-management platform, M365 — different MFA postures on each, with the weakest link being the CRM where MFA is off entirely.
• The vendor list is years stale and does not document each vendor's role with respect to customer information. Reg S-P treats vendor oversight as a first-class compliance obligation. The firm cannot produce a current list, let alone an oversight cadence.
• No documented offboarding playbook for departing employees. When the firm last lost a staff member, access was revoked on a best-effort basis the day of departure; some accounts were typically still active months later.

A generic "appropriate safeguards" document drafted years ago and never revisited will not survive an examiner's first question. SEC staff have been increasingly explicit that they will test the plan against a hypothetical scenario.

The engagement runs as a six-week sprint, with the firm's outside compliance counsel kept in the loop on framework-mapping decisions. Technical work and documentation work happen in parallel — the SEC exam is a hard deadline.

1. Write the customer-notification procedure and the incident response plan to satisfy the 2024 Reg S-P amendments. The notification procedure names the firm's incident-response lead, the path to legal review, the E&O carrier contact, the custodian's incident contact, the template for the customer letter, and the 30-day clock language. The incident response plan is rewritten as a multi-page runbook with three scenarios (ransomware, account compromise, vendor breach), each with a tabletop-tested decision tree.

2. Rewrite the written information security program against NIST CSF. Every control category in the program maps to a specific NIST CSF subcategory. The document names the specific technology controls in place (Defender, Conditional Access, MFA, EDR), the specific administrative controls (access reviews, vendor oversight, training cadence), and the specific physical controls (office access, device storage). The compliance counsel reviews the document for fit to a firm this size.

3. Upgrade M365 to Business Premium and configure Conditional Access, Defender, and Intune. Every staff laptop is enrolled in Intune with BitLocker enforced, EDR running, and a baseline policy that blocks USB mass storage on financial-data devices. Conditional Access blocks sign-ins from countries the firm does not work in, requires a compliant device for access to OneDrive and SharePoint, and enforces MFA on every sign-in for every user.

Advisers' personal phones are either enrolled in Intune (with their consent) or moved off M365 mobile access — a choice each adviser makes individually.

4. Close the shared account on the portfolio-management platform. Add the second license, give the operations manager and the client-service associate individual accounts, enable MFA on both. Pull the audit log retroactively to confirm what the shared account had been used for and document the access pattern.

5. Build the vendor oversight register. Document every vendor that touches customer information (custodian, portfolio-management platform, CRM, client portal, M365, e-signature provider, document-management platform). For each vendor: scope of access, MFA posture, SOC 2 / SSAE 18 report on file, contract expiration, security-questionnaire cadence (annual), incident-notification clause status. The register becomes a maintained document with a quarterly review owner.

A vendor list on a spreadsheet that is three years stale is not vendor oversight. The register has to be current, name what each vendor does with customer information, and document the annual review.

6. Write the employee offboarding playbook. A one-page checklist: M365 account suspension, portfolio-management platform access revocation, custodian portal access revocation, CRM access revocation, laptop wipe, key-fob deactivation, password manager group removal, email forwarding to the operations manager for 30 days. Signed off by the operations manager on every departure, day-of.

7. Train every staff member on phishing identification and incident reporting. A one-hour live session plus a written one-page reference. Document attendance for the exam record.

When this playbook runs cleanly, here is what the firm exits with going into the SEC exam.

A written information security program that maps to NIST CSF. An incident response plan with three tabletop-tested scenarios. A customer-notification procedure that satisfies the 2024 Reg S-P amendments. A vendor oversight register. A documented offboarding playbook. Training records for every staff member. The exam team's questions on cybersecurity get answered with documents that existed before the question was asked.

M365 sign-in attempts from outside the U.S. are blocked automatically. Shared portfolio-management platform accounts no longer exist, which means the platform's audit log can answer the "who did what" question for every transaction. Every laptop is encrypted, patched, and running EDR. Every staff account on every platform that touches customer information has MFA on.

The firm may not have had a security incident yet. If they have one, the next 30 days will involve a runbook, a notification template, and a phone call to E&O — not a panic.

Three things worth taking from this.

First — the 2024 Reg S-P amendments are not a paperwork exercise. The compliance dates are real: December 3, 2025 for larger advisers, June 3, 2026 for smaller advisers. The customer-notification requirement, the documented written information security program, and the vendor-oversight obligations all become exam fodder once they are in effect for your firm. Treating any of them as a generic "we have appropriate safeguards" document is a failed exam waiting to happen.

Second — your written information security program should map to a real framework. NIST CSF is the most accessible for a small RIA; the SEC examination staff are familiar with it and the mapping makes the program defensible. A generic document drafted years ago and never revisited will not survive an examiner's first question.

Third — vendor oversight is now a first-class obligation. A vendor list on a spreadsheet that is three years stale is not vendor oversight. The register has to be current, name what each vendor does with customer information, and document the annual review.

If you are an RIA in the Inland Empire or broader SoCal heading into an exam or just trying to get ahead of the Reg S-P deadlines, our security baseline assessment covers the technical side and our financial services overview covers the framework mapping. The free 12-question self-check gives a rough grade in three minutes.