Nancy is a founding Member at True West. She brings over 20 years of experience in the financial industry with a concentrated focus in regulatory compliance consulting for registered investment advisory firms. She has a passion for working with clients in developing their compliance programs and assists firms with building a true culture of compliance. Nancy strives to keep a simple and straightforward approach to running an efficient compliance program.
July Compliance Priorities for RIAs: Regulation S-P Implementation and Disaster Recovery Planning
As we return from the Fourth of July holiday and continue through America’s 250th year of independence, we are reminded that strong systems are built through preparation, accountability, resilience, and a commitment to protecting what matters most. In that same spirit, as we continue down the 2026 compliance trail, we’ll keep riding alongside you with reminders and practical guidance on the key compliance topics that deserve your attention.
This month’s compliance topic is Regulation S-P Implementation and Audit Readiness.
June 3, 2026 marked the compliance date for smaller covered institutions, including many SEC-registered investment advisers, under the SEC’s amendments to Regulation S-P. The amendments enhance requirements related to safeguarding client information, incident response programs, customer notification procedures following certain data incidents, service provider oversight, and related record keeping. Larger covered institutions were required to comply beginning December 3, 2025.
As firms move from implementation to audit readiness, now is the time to confirm that policies, procedures, vendor oversight practices, employee training, and incident response documentation are not only updated, but also operational and testable.
Key areas for review include:
- Confirm the Firm has a written incident response program designed to detect, respond to, and recover from unauthorized access to customer information.
- Review customer notification procedures, including the ability to provide required notice within applicable timeframes.
- Review service provider oversight, including incident notification expectations and safeguards for client information.
- Confirm vendors are not using sensitive firm or client information to train public or open-source AI models or otherwise misuse client data.
- Update vendor due diligence files to address cybersecurity practices, data controls, subcontractors, incident response, and AI-related data usage.
- Confirm employees know how to identify and escalate cybersecurity, privacy, vendor, or data incident concerns.
- Maintain documentation of policy updates, vendor reviews, training, testing, tabletop exercises, and remediation items.
- Review record retention practices to ensure the Firm can evidence its Regulation S-P compliance efforts during an audit or examination.
Audit readiness is more than having updated policies on file. Firms should be prepared to demonstrate how the program works in practice, who is responsible for each step, how issues are escalated, how vendors are reviewed, and how client notification decisions would be documented.
Disaster Recovery Planning: Where Compliance and Technology Meet
A disaster recovery plan is only valuable if it works when the firm needs it most.
For registered investment advisers, business continuity and disaster recovery planning should be more than a written policy. A strong plan should reflect how the business actually operates, how critical systems are protected, how employees communicate during disruption, and how client service continues when something goes wrong.
Technology outages, cyber incidents, vendor disruptions, natural disasters, and communication failures can all test a firm’s ability to respond. The key question is not simply whether the firm has a plan, but whether that plan has been reviewed, tested, and made accessible to the people responsible for carrying it out.
As part of a meaningful review, firms should consider:
- Does the firm have a current disaster recovery plan?
- Has it been reviewed to reflect current procedures, systems, vendors, personnel, and communication channels?
- Are backup systems in place and functioning as intended?
- Has the firm tested those systems through a realistic scenario?
- Are employees aware of the plan and able to access it during an outage?
- Are roles, escalation steps, and alternate communication methods clearly documented?
A tabletop exercise or real-life scenario test can be especially helpful. Walking through what would happen if email access was unavailable, a core vendor platform went down, or a cybersecurity incident occurred can reveal practical gaps that may not be obvious from reviewing the written plan alone.
Through our partnership with GoWest IT, firms also have access to technology and cybersecurity expertise designed to support the systems, safeguards, and response capabilities that make those policies operational.
Together, True West and GoWest IT help firms approach disaster recovery planning from both sides: the
Protecting Senior Clients Is a Fiduciary Responsibility
The rise in elder financial exploitation cases continues to place pressure on RIAs to strengthen safeguards for vulnerable clients.
A firm’s fiduciary duty extends beyond investment management. Advisors must remain vigilant for:
- Cognitive decline
- Suspicious withdrawal activity
- Third-party influence
- Fraud and scam attempts
- Behavioral changes or unusual requests
Proactive firms are implementing:
- Trusted contact procedures
- Enhanced supervision for unusual transactions
- Ongoing client and family education
- Senior client interaction protocols
- Escalation procedures for potential financial exploitation
Protecting senior clients is not only good compliance practice; it’s central to maintaining the trust clients place in their advisory relationships.
Final Thoughts
July is a good time for firms to pause, test, and confirm that key compliance and operational safeguards are working in practice. Regulation S-P readiness, disaster recovery planning, and senior client protection all share a common theme: firms should be prepared before an issue occurs.
True West is here to help firms stay prepared, document their efforts, and continue building resilient compliance programs.
Stay compliant and proactive with your policies and procedures
- June 2026 (1)
- May 2026 (1)
- April 2026 (1)
- March 2026 (1)
- February 2026 (1)
- January 2026 (1)
- December 2025 (1)
- November 2025 (2)
- October 2025 (2)
- September 2025 (2)
- August 2025 (1)
- July 2025 (1)
- June 2025 (2)
- May 2025 (2)
- April 2025 (1)
- March 2025 (1)
- February 2025 (1)
- January 2025 (2)
- December 2024 (1)
- November 2024 (1)
- October 2024 (7)
- September 2024 (8)
- August 2024 (4)
- July 2024 (4)
- June 2024 (8)
- May 2024 (1)
- April 2024 (1)
- March 2024 (1)
- February 2024 (1)
- January 2024 (1)
You may also like
These related posts
Regulatory Round-Up March 2026
Regulatory Round-Up April 2026

