Reg S-P Sweep Exams | Bernadette Murphy Insights

Published on Jan 12th, 2026 |

Vigilant Insights

Introduction

In light of the recent Regulation S-P (Reg S-P) amendments, the SEC has begun examining certain Firms, underscoring a growing regulatory emphasis on cybersecurity preparedness. It is important for Firms to demonstrate that their cybersecurity programs are not only documented, but operationally effective.

The amended Reg S-P expands Firms’ responsibilities around safeguarding customer information, with an increased emphasis on vendor oversight, incident response, and data breach notification.

Vigilant Managing Director, Bernadette Murphy, MSL, provided her insights on Dow Jones Risk Journal (a Dow Jones publication alongside The Wall Street Journal) and her insights can be found below.

Bernadette Murphy Insights

Bernadette emphasized that the SEC’s current approach should not be viewed as punitive, but rather as an effort to strengthen industry-wide practices.

She noted that the SEC’s examination initiative is intended to provide Firms with practical insight into common weaknesses and examples of strong practices, enabling Advisers to better align their policies and procedures with regulatory expectations.

Bernadette further explained that Reg S-P has evolved into a true cybersecurity rule, with the SEC now focused on whether Advisers can demonstrate real, day-to-day operational readiness, not just written policies. This shift highlights the regulator’s expectation that cybersecurity controls be embedded into Firms’ actual operations and governance structures.

Vigilant’s Conclusion

The SEC’s review of Reg S-P marks a key moment for Investment Advisers as cybersecurity expectations continue to rise. With examinations already underway, Firms can expect regulators to assess how effectively cybersecurity policies are implemented in practice, including oversight of Third-Party Service Providers and readiness to respond to data incidents within required timeframes.

For Advisers, this development reinforces the importance of conducting realistic assessments of cybersecurity programs, validating vendor management processes, and ensuring incident response frameworks are both timely and actionable.

As Reg S-P expands to smaller firms (under $1.5 Billion in AUM) in the coming year on June 3, 2026, proactive preparation will be essential to meeting regulatory expectations and mitigating enforcement risk.

Vigilant continues to monitor regulatory developments and examination trends to help Firms translate evolving cybersecurity requirements into practical, defensible Compliance Programs.