Home Features Archiving Trade Monitoring Vendor Due Diligence Marketing Reviews Content Library Form ADV Forms & Tasks AI Consultant Reporting Documents Pricing Blog About Sign in Request demo
Interactive checklist · saved in your browser

Regulation S-P Compliance Checklist

A Regulation S-P compliance checklist is a rule-by-rule list of what the SEC's privacy and safeguards rule requires of an SEC-registered adviser: written safeguards (your WISP), an incident response program, 30-day customer breach notification, service-provider oversight, recordkeeping, and privacy notices. Use this interactive version to pressure-test your program against the amended rule (17 CFR Part 248): every item traces to the rule text and SEC Release 34-100155. Tick items off as you confirm them. Your progress is saved in this browser, not on our servers.

Last reviewed July 15, 2026 · every item cited to primary sources

Overall progress 0 / 26 complete

Safeguards Rule and your Written Information Security Program (WISP)

0 / 4

Regulation S-P's Safeguards Rule requires written administrative, technical, and physical safeguards for customer information. In practice, that written program is your Written Information Security Program (WISP). Use this section as the backbone of a WISP template and confirm each control is documented and current.

Written incident response program

0 / 5

The 2024 amendments require a written incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information (§ 248.30(a)(3)).

30-day customer breach notification

0 / 5

Section 248.30(a)(4) requires notice to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Notice goes out as soon as practicable, and no later than 30 days after the firm becomes aware.

Service-provider oversight

0 / 5

Section 248.30(a)(5) makes vendor oversight a rule requirement. Written policies must require due diligence and monitoring reasonably designed to ensure providers protect customer information and notify the firm within 72 hours of a qualifying breach.

Recordkeeping

0 / 5

The amendments added recordkeeping requirements that, for advisers, fold into the Rule 204-2 books-and-records requirements. During an exam, a decision that notice was not required only counts if the investigation and determination were written down at the time.

Privacy notices

0 / 2

Regulation S-P's original privacy-notice obligations still apply. The amendments also conformed the annual privacy notice to the FAST Act exception.

This checklist is general information for compliance professionals, not legal advice. Verify each item against the linked primary sources and your firm's specific facts.

Turn this checklist into a running program

RegFin keeps the vendor file, incident records, policy versions, and exam-ready evidence trail Regulation S-P assumes, all in one place, building as you work.

Book a demo