The SEC’s Reg S-P Compliance Deadline is Looming… Is Your Financial Services Firm Ready?
If your firm has fewer than 25 employees, uses Schwab, Fidelity, or Pershing as a custodian, and relies on an outside IT contractor for technology support — this article is for you.
Recent research shows that 95% of the RIA firms failed the internal penetration test on the first attempt. The reason? Outdated safeguards and generic IT providers who don’t understand SEC compliance.
The SEC’s Reg S-P compliance deadline for smaller entities (under $1.5 billion AUM) is June 3, 2026. Here’s what happens to firms that aren’t ready.
The 95% Problem: Why Most RIAs Fail Their First Cyber Test
79% of firms said they were confident in their cybersecurity readiness according to the ACA Aponix/NSCP 2024 Cybersecurity Benchmarking Survey. But only 40% had externally tested their incident response plan. The gap between confidence and reality is where the 95% failure rate lives. Firms believe they are protected because they have antivirus software and a firewall.
When a penetration tester simulates an actual attack, the defenses don’t hold.
The firms that fail are not negligent. They are working with IT providers who don’t know what SEC examiners are looking for. Alliance Tech, a leading IT services company in St. Louis and Grand Rapids, specializes in providing IT support for financial services firms. Give us a call at (314) 649-8888 or fill out the form to the right to speak with one of our financial IT experts.
What a Breach Costs Your Firm
The numbers are specific to firms like yours:
- $3.31 million, which is the average breach cost for organizations with fewer than 500 employees, according to IBM Cost of a Data Breach Report, 2024.
- 88% of SMB breaches involved ransomware, compared to 39% at large enterprises(Verizon 2025 Data Breach Investigations Report)
- 38% of customers would switch financial institutions after a data breach (PKWARE)
According to Statista 2025, ~24 days is the average downtime from a ransomware attack.
Put that in context. A $150 million AUM firm generating roughly $1.2 million in annual revenue faces a breach cost that exceeds two full years of income. Apply the 38% client attrition rate to a $200 million AUM practice and you lose approximately $76 million in assets under management.
For a firm serving clients during a volatile market, three weeks offline is not an inconvenience. It is a business-ending event.
The SEC Already Fined a St. Louis RIA for This
Firm A (Midwest-based RIA, 2015): $75,000 penalty. The firm had zero written cybersecurity policies for nearly four years before a breach. The attack, traced to China, exposed personal information of approximately 100,000 individuals. No client lost money. The SEC enforced anyway — it was the agency’s first-ever cybersecurity action against a registered investment adviser.
Firm B (November 2025): $325,000 penalty. Seventeen email accounts at 13 branch offices were compromised. Approximately 8,500 individuals affected. The firm lacked MFA, annual security training, and written incident response procedures at branch offices.
The pattern across these cases:
Penalties for missing basic controls — not for failing to stop sophisticated attacks. Written policies, MFA, and documented training were absent. The SEC did not require proof of financial harm to clients.
Your Cyber Insurance Won’t Cover the Gap
Many of the RIA owners assume their cyber insurance policy is a safety net. The claim data tells a different story:
- 82% of denied claims involved organizations that lacked properly implemented MFA
- MFA blocks 99.9% of account compromise attacks
Schwab mandated in October 2021 that all approximately 13,000 RIAs carry cybersecurity insurance with a minimum $1 million aggregate. Fidelity followed in March 2022, requiring a $250,000 minimum for social engineering coverage.
Your custodian requires the policy. Your insurer requires the controls. If you carry the policy but lack MFA, you’re paying premiums for a claim that will be denied when you need it.
What the 5% Do Before the Examiner Arrives
The firms that pass their first penetration test share four operational habits:
- Written incident response program. Reg S-P now requires a written program to detect, respond to, and recover from unauthorized access to customer information. The SEC examines whether the plan is operational, not whether it exists in a binder. Your team needs to answer: who calls whom, what gets shut down, and how clients get notified.
- Annual penetration testing with documented remediation. This is the test 95% of firms fail. The purpose is not to pass on the first attempt. It is to find the gaps before the SEC does, fix them, and document the fix. Examiners will request evidence of both.
- 72-hour notification clauses in vendor contracts. Reg S-P requires service providers to notify your firm within 72 hours of a breach. Third-party involvement in breaches doubled to 30% in 2025, up from 15% the prior year (Verizon 2025 DBIR). Review contracts with your CRM, financial planning software, cloud storage, and email providers.
- Quarterly phishing training for all staff. 60% of all breaches involve the human element: phishing, social engineering, credential misuse, and errors (Verizon 2025 DBIR). For a small firm, this means quarterly 15-minute simulations and documented participation — not an annual compliance video.
The Deadline is Coming Fast… Are You Ready?
The Reg S-P compliance deadline for smaller entities is June 3, 2026.
The SEC’s FY2026 examination priorities, released November 17, 2025, list cybersecurity as a “perennial examination priority” and flag never-before-examined advisers as targets. Both St. Louis and Grand Rapids fall under the SEC’s Chicago Regional Office.
The cost comparison:
- Baseline cybersecurity program: $5,000 – $20,000
- Average breach cost for firms your size: $3.31 million (IBM 2024)
Alliance Tech is a leading cybersecurity firm in St. Louis and Grand Rapids. We offer a complimentary cybersecurity assessment for RIA firms in the area. There is no obligation, but there is a deadline. Schedule your complimentary cybersecurity assessment before June 3.
