By Yiddy Lemmer, CEO – CompuConnect, Inc.
The SEC’s updated Regulation S-P, finalized in 2024, is now approaching its enforcement deadline of June 3, 2026.
While the rule itself is not new, the reality is setting in.
Many financial advisory firms are still not prepared for what it actually requires in practice.
According to Financial Advisor Magazine, a large number of RIAs are missing key operational components, especially around incident response and vendor oversight.
What the Rule Is Really About
At a high level, Regulation S-P is focused on one thing:
Making sure firms can protect client data and respond effectively when something goes wrong.
That includes:
- A formal incident response plan
- Strong vendor oversight
- The ability to notify clients within 30 days of a breach
- Policies that are actively enforced
These are not new concepts.
What is new is the expectation that they actually work in real-world situations.
Where Firms Are Falling Short
Most firms already have policies.
The problem is execution.
The gap is between what is written and what actually happens day to day.
And that gap is where most incidents occur.
Not from sophisticated attacks, but from basic issues like:
- Compromised email accounts
- Inconsistent use of Multi-Factor Authentication
- Employees not following procedures
- Vendors with unclear or unmanaged access
These are the exact areas regulators are now focusing on.
The 30-Day Reality Check
The rule requires firms to notify clients within 30 days of a breach.
That sounds manageable until you break it down.
You need to detect the issue, understand what happened, contain it, document it, and communicate clearly.
All within a tight window.
Without a structured process, that becomes difficult very quickly.
What Readiness Actually Looks Like
Firms that are prepared are not doing anything complex.
They are doing the fundamentals consistently:
- Defined and tested incident response plans
- Multi-Factor Authentication enforced across systems
- Regular access and security reviews
- Active vendor risk management
- Ongoing monitoring and documentation
The difference is not tools.
It is structure and consistency.
Why This Matters Now
This is not just about compliance.
It is about whether your firm can operate, respond, and protect client trust under pressure.
Regulators are no longer asking if you have policies.
They are asking if those policies hold up in real situations.
How CompuConnect Helps
CompuConnect works with CPA and financial advisory firms across New York and New Jersey to close the gap between policy and execution.
We help firms:
- Identify gaps in current systems
- Build structured response plans
- Strengthen vendor oversight
- Align operations with compliance requirements
- Deliver proactive managed IT services and business cybersecurity
The goal is simple.
Make sure your firm is actually ready, not just documented.
The SEC rule may have been finalized in 2024, but many firms are only now realizing what it truly requires.
Most gaps are not obvious.
They show up when something goes wrong.
If you are not fully confident in how your firm would respond today, it is worth taking a closer look.
Schedule a discovery call with us and get a clear, practical understanding of where you stand and what needs to be strengthened before the deadline.
About the Author
Yiddy Lemmer is the Founder and CEO of CompuConnect IT, a leading IT support and cybersecurity firm serving small and midsize businesses across New York and New Jersey. With over 18 years of hands-on experience, multiple Microsoft and CompTIA certifications, and deep roots in Brooklyn, Yiddy leads with a passion for technology, service excellence, and helping businesses thrive through secure and efficient IT systems.
