As we return from the Fourth of July holiday and continue through America’s 250th year of independence, we are reminded that strong systems are built through preparation, accountability, resilience, and a commitment to protecting what matters most. In that same spirit, as we continue down the 2026 compliance trail, we’ll keep riding alongside you with reminders and practical guidance on the key compliance topics that deserve your attention.
This month’s compliance topic is Regulation S-P Implementation and Audit Readiness.
June 3, 2026 marked the compliance date for smaller covered institutions, including many SEC-registered investment advisers, under the SEC’s amendments to Regulation S-P. The amendments enhance requirements related to safeguarding client information, incident response programs, customer notification procedures following certain data incidents, service provider oversight, and related record keeping. Larger covered institutions were required to comply beginning December 3, 2025.
As firms move from implementation to audit readiness, now is the time to confirm that policies, procedures, vendor oversight practices, employee training, and incident response documentation are not only updated, but also operational and testable.
Key areas for review include:
Audit readiness is more than having updated policies on file. Firms should be prepared to demonstrate how the program works in practice, who is responsible for each step, how issues are escalated, how vendors are reviewed, and how client notification decisions would be documented.
A disaster recovery plan is only valuable if it works when the firm needs it most.
For registered investment advisers, business continuity and disaster recovery planning should be more than a written policy. A strong plan should reflect how the business actually operates, how critical systems are protected, how employees communicate during disruption, and how client service continues when something goes wrong.
Technology outages, cyber incidents, vendor disruptions, natural disasters, and communication failures can all test a firm’s ability to respond. The key question is not simply whether the firm has a plan, but whether that plan has been reviewed, tested, and made accessible to the people responsible for carrying it out.
As part of a meaningful review, firms should consider:
A tabletop exercise or real-life scenario test can be especially helpful. Walking through what would happen if email access was unavailable, a core vendor platform went down, or a cybersecurity incident occurred can reveal practical gaps that may not be obvious from reviewing the written plan alone.
Through our partnership with GoWest IT, firms also have access to technology and cybersecurity expertise designed to support the systems, safeguards, and response capabilities that make those policies operational.
Together, True West and GoWest IT help firms approach disaster recovery planning from both sides: the
The rise in elder financial exploitation cases continues to place pressure on RIAs to strengthen safeguards for vulnerable clients.
A firm’s fiduciary duty extends beyond investment management. Advisors must remain vigilant for:
Proactive firms are implementing:
Protecting senior clients is not only good compliance practice; it’s central to maintaining the trust clients place in their advisory relationships.
July is a good time for firms to pause, test, and confirm that key compliance and operational safeguards are working in practice. Regulation S-P readiness, disaster recovery planning, and senior client protection all share a common theme: firms should be prepared before an issue occurs.
True West is here to help firms stay prepared, document their efforts, and continue building resilient compliance programs.