Published on Dec 16th, 2025 |

Reg S-P Sweep Exams in Effect | Vigilant Insights

Vigilant Insights

Introduction

On December 3rd, 2025, the Regulation S-P (“Reg S-P”) Rule Amendments went into effect for Large Advisers with over $1.5 Billion in AUM.

Within 24 hours, some Firms were notified of a targeted Reg S-P Sweep Exam. This swift action sends a clear message to the industry and underscores the Commission’s intent to prioritize enforcement and oversight of the Rule without delay.

While the sweep is currently focused on Large Advisers already subject to the amended requirements, its implications extend well beyond that population.

For Advisers with less than $1.5 Billion in AUM, the Compliance Date of June 3, 2026 may appear distant, but the SEC’s swift examination posture highlights the importance of early preparation.

The timing of this Sweep Exam reflects a regulatory interest in how Firms operationalize and document their Reg S-P Compliance Programs.

Vigilant’s Directors, Will Clark, CIPM, MBA, and CJ Schaible, MBA, provided their thoughts and insights on Financial Advisor IQ and they can be found below.

Vigilant's Thoughts

Vigilant’s Thoughts

Most Advisory Firms maintain strong oversight of their core networks and have a clear understanding of employee access rights within primary systems. However, a recurring challenge arises when Firms attempt to fully map and assess all systems and platforms used in the course of Advisory Business, particularly web-based applications.

These systems may include document-sharing tools, portfolio analytics platforms, CRM systems, data aggregation services, or third-party applications that are critical to day-to-day operations but may fall outside traditional IT inventories.

Key questions Firms should be asking include:

  • What systems and platforms do employees access as part of their role?
  • What level of access do employees have within each system, and is that access aligned with their job responsibilities?
  • Are access rights granted, modified, and revoked in accordance with firm policies?
  • What authentication controls are in place (e.g., multi-factor authentication), and are they consistently enforced?
  • Are employees following established procedures, or do gaps exist between written policies and actual practices?

Importantly, the SEC’s focus under Reg S-P is not limited to systems that directly store client personally identifiable information (PII).

Examiners are increasingly concerned with any system that could serve as an entry point into a Firm’s broader environment. A compromise of a seemingly low-risk platform may provide a pathway to higher-risk systems if controls are not properly designed and implemented.

Password management remains another critical area of scrutiny. Firms should carefully evaluate their password policies and practices, including whether credentials are reused across multiple systems. If one system is compromised, the use of shared or weak credentials may increase the risk of unauthorized access to other platforms, including those that house sensitive client data.

Will Clark and CJ Schaible Insights

Will Clark and CJ Schaible Insights

The SEC’s early Reg S-P examination activity is less about perfection and more about preparedness, reasonableness, and governance.

Will Clark emphasizes that, at this stage, the SEC is not necessarily expecting Firms to have a flawless or “bulletproof” Reg S-P framework in place. Rather, examiners appear focused on whether Firms have taken meaningful steps to address the amended requirements, such as establishing policies to monitor compliance, identifying critical vendors, and beginning enhanced vendor due diligence processes. Particular attention is being paid to custodians, CRM platforms, and online file storage and sharing systems, which Will notes are common areas of vulnerability, especially when smaller vendors are involved.

CJ Schaible highlights that the SEC’s actions serve as an important signal for smaller advisers that preparation should begin to get everything in place soon, and not closer to the June 2026 compliance deadline. Early examination activity among larger Firms provides a roadmap for what regulators are likely to expect across the industry over time. Firms that use this period to inventory systems, evaluate vendor relationships, and align operational practices with written policies will be better positioned as Reg S-P expands to a broader population of Advisers.

Vigilant's Conclusion

Vigilant’s Conclusion

The SEC’s Reg S-P Sweep Exam for Large Advisers is a strong indicator of the regulatory expectations that will ultimately apply across the advisory industry.

For Smaller Advisers, the June 3, 2026, Compliance Date should be viewed not as a grace period, but as an opportunity to proactively strengthen governance, controls, and documentation well in advance of examination activity.

Preparing for Reg S-P compliance requires more than updating policies. Firms should conduct comprehensive system inventories, assess access rights and authentication controls, test incident response procedures, and ensure that operational practices align with written supervisory frameworks.

At Vigilant, we help Advisers navigate these requirements by providing tailored Reg S-P readiness assessments, policy and procedure development, access and system reviews, and on-going Compliance Services.

By taking a structured and proactive approach now, Firms can position themselves to meet regulatory expectations with confidence, well before the SEC comes knocking.

Contact Us