SEC 2026 exam priorities · Reg S-P is on the list

Your program is spread across every entity, vendor and team. The SEC examines it as one.

Reg S-P has applied to firms your size since December 2025, and the SEC's 2026 examination priorities put incident-response programs on the list. Compliance, IT, operations, legal and the business each move independently — but the examiner assesses one program. A finding in one entity reaches the rest. Holding one evidenced view across all of it is the hard part, and what Resilis is built for.

Book a 20-minute review See how it maps to your firm
Reg S-P program status
AMBER — current

On the SEC 2026 exam list · distributed across entities · no single view

↓  with Resilis
GREEN — target

One program across the complex · aligned across functions · evidence on demand

The gap between the two is what an examiner finds. Twenty minutes tells you which line you're on.
What gets harder with more moving parts

Every firm got the same rule. The more places your program lives, the harder it is to hold together.

Open the one that bites hardest — that's where Resilis earns its place.

Coordination across functionsThe program is owned in pieces — and the seams are where it fails
What Resilis does

The platform brings stakeholders into one picture — every entity, office, vendor and partner — so the response spans your whole footprint instead of fragmenting. Technology, operations and business stay aligned, with the platform as challenger. The response is co-orchestrated: you decide, while the platform proposes the next move from your plans and the situation in front of you.

Dependency & concentration mappingIt's not the length of the vendor list — it's which ones you can't run without
What Resilis does

Dependency mapping is native to the platform, not a spreadsheet rebuilt each year. It captures where your key processes actually run — outsourced to vendors, or centralized within the group — so the whole operating model is visible and stress-tested. Oversight evidence is something you pull on demand, and a dependency's blast radius is a board-reportable picture before an incident draws it for you.

Multi-entity testing & evidenceA surprise exam doesn't ask one entity — it asks all of them
What Resilis does

Resilis is built to run a crisis, not just document one. A guided tabletop produces the cheapest credible evidence an examiner looks for — proof the program was tested, dated and attributed — held consistently across every entity, not rebuilt one at a time under exam pressure. And if a real incident comes, you run it from the same platform.

Consistency & drift controlThe program doesn't go unowned — it drifts in the handoffs
What Resilis does

The platform keeps the program coherent across teams — it leverages what each function already has, runs consistency checks across plans, policies and procedures, and flags where they've drifted or where an examiner would find a gap. Governance is evidenced as you operate: who reviewed, who signed off, what was tested and when — the trail a board and an examiner both expect, without one person holding it all in their head.

Two screens, not twenty features

The proof isn't a feature list. It's watching the program assemble itself.

YOUR FIRM Custodian Archive Cloud Fund admin evidenced gap
Dependency & vendor map

The custodian, cloud, archive and fund-admin web assembling itself — each node carrying its own oversight evidence, with gaps flagged before an incident finds them.

CRISIS MODE · ACTIVE NOTIFICATION CLOCK 29d 14:22:07 Scope confirmed · records accessedOps Affected clients identified · 312CCO Notification drafted · pending reviewCounsel Custodian oversight evidence attachedOps LOGBOOK · every action dated, attributed, exportable
Crisis mode

The live operating picture during a breach — tasks, owners, the 30-day notification clock running, every action written to a dated logbook. The program as something you run, not retrieve.

The honest before / after

A Reg S-P program survives an exam two ways. Only one survives the next incident.

The binder approach

  • A document rebuilt annually, accurate the day it's filed and drifting after
  • Vendor oversight reconstructed by hand each exam cycle
  • "Tested" means a meeting nobody recorded
  • One or two people hold the whole program in their heads
  • Evidence assembled under pressure, after the request arrives

The Resilis approach

  • A program that updates as your firm, vendors and entities change
  • Dependency map and oversight evidence generated continuously
  • "Tested" means a dated tabletop with a defensible record
  • The drafting and consistency work done by the platform, not your team
  • Audit-ready evidence available the moment it's asked for
Why trust a platform you haven't heard of yet

Built where the resilience rules are hardest — now mapped to yours.

CoverageMore than enough for Reg S-P, where it counts

Resilis more than satisfies the operational-resilience core of Reg S-P — incident response, recovery, service-provider oversight, testing, and the evidence behind them. The same engine was built for Europe's NIS2 and DORA, and maps cleanly onto the BCP, DR, and incident-response provisions of NYDFS Part 500 — arguably the most demanding in US financial services. Resilis is the operational-resilience layer; it works alongside your controls for access, encryption, and the rest of the security stack.

Security postureThe substance is already here

Resilis runs on infrastructure independently certified to ISO 27001, HDS and PCI-DSS — encryption in transit and at rest, least-privilege access, strict tenant isolation, 24/7 monitoring, and daily backups with tested restoration. SOC 2 is underway, formalizing in the report US buyers expect controls that are already in place today. And Resilis runs separately, by design, from the systems it protects — so when your own environment is under attack, the platform coordinating the response is the one still standing.

ISO 27001 HDS PCI-DSS SOC 2 · underway
A human, not a funnelYour first conversation is with an independent advisor

An independent advisor who works alongside Resilis on its US expansion — eighteen years in global-bank COO offices running regulatory remediation and Dodd-Frank implementation at regulated financial institutions. They've been on the side of the table that assembles the evidence when a regulator comes, and know what holds under that pressure. Not a compliance advisor, and this isn't compliance advice — an operator showing you how this evidence is typically examined.

Why now

On 17 November 2025 the SEC's Division of Examinations published its 2026 priorities. Reg S-P incident-response programs are named on the list — and your firm has been past its compliance date since December. Examiners are instructed to assess whether your program is reasonably designed to detect, respond to, and recover from unauthorized access to customer information. The exam is the mechanism; a finding is how a paper program stops being quietly fixable.

SEC FY2026 Examination Priorities (PDF)

Twenty minutes on what an examiner actually asks you to show.

A working session on evidence — not a demo, and not a compliance assessment. Across a complex of entities, Reg S-P is examined on whether you can produce the same evidence everywhere. We'll walk through the artifacts examiners typically expect, and you'll leave knowing which you could pull today and which you'd be reconstructing entity by entity.

Book the review