SEC 2026 exam priorities · Reg S-P is on the list

The deadline didn't fix anything. It just made your exposure examinable.

Your June 3 compliance date has passed — and the SEC's 2026 examination priorities put Reg S-P incident response on the list. Examiners are instructed to assess whether your program actually works: live, tested, and evidenced across every vendor, office and entity you depend on. An exam finding is how a paper program becomes a problem you can't quietly fix. Resilis is the platform that makes the program real — and runs the crisis if one comes.

Book a 20-minute review See how it maps to your firm
Reg S-P program status
AMBER — current

On the SEC 2026 exam list · program untested · evidence assembled on request

↓  with Resilis
GREEN — target

Live · dependency-mapped · tested · audit-ready

The gap between the two is what an examiner finds. Twenty minutes tells you which line you're on.
Find your firm's shape

Every firm got the same rule. What it costs you depends on how your firm is built.

Open the shape that fits — the answer is the part of Resilis built for it.

Workload reductionYou run lean — one person wears compliance, ops, and more
What Resilis does

The platform acts as your program co-developer — it leverages what you have, runs consistency checks across your plans, policies and procedures, and flags the gaps an examiner would. You stop being the runbook, and work that used to take weeks takes days.

Tabletop & testingThe program exists on paper — but it's never been tested
What Resilis does

Resilis is built to run a crisis, not just document one. A guided tabletop produces the cheapest credible evidence an examiner looks for — proof the program was tested, with a dated record to show for it. And if a real incident comes, you run it from the same platform. That's the part the binder was never going to do.

Dependency mappingYour records and assets live across many custodians and vendors
What Resilis does

Dependency and vendor mapping is native to the platform, not a spreadsheet you rebuild each year. It captures where your key operational processes actually run — outsourced externally to vendors, or internally to a parent, an affiliate, or a shared-services group — so you map the whole operating model and stress-test it before something breaks. Oversight evidence becomes something you pull on demand, not a project you reassemble each exam cycle.

Internal & external coordinationYour firm spans multiple entities, offices, or a parent
What Resilis does

The platform brings stakeholders together so the response spans your whole footprint — not just the entity where the incident started, and with vendors and external partners inside it rather than a separate scramble. Technology, operations and business stay naturally aligned, with the platform as challenger. When something happens, the response is co-orchestrated: you decide, while the platform proposes the next move based on your plans and the situation in front of you.

Two screens, not twenty features

The proof isn't a feature list. It's watching the program assemble itself.

YOUR FIRM Custodian Archive Cloud Fund admin evidenced gap
Dependency & vendor map

The custodian, cloud, archive and fund-admin web assembling itself — each node carrying its own oversight evidence, with gaps flagged before an incident finds them.

CRISIS MODE · ACTIVE NOTIFICATION CLOCK 29d 14:22:07 Scope confirmed · records accessedOps Affected clients identified · 312CCO Notification drafted · pending reviewCounsel Custodian oversight evidence attachedOps LOGBOOK · every action dated, attributed, exportable
Crisis mode

The live operating picture during a breach — tasks, owners, the 30-day notification clock running, every action written to a dated logbook. The program as something you run, not retrieve.

The honest before / after

A Reg S-P program survives an exam two ways. Only one survives the next incident.

The binder approach

  • A document rebuilt annually, accurate the day it's filed and drifting after
  • Vendor oversight reconstructed by hand each exam cycle
  • "Tested" means a meeting nobody recorded
  • One or two people hold the whole program in their heads
  • Evidence assembled under pressure, after the request arrives

The Resilis approach

  • A program that updates as your firm, vendors and entities change
  • Dependency map and oversight evidence generated continuously
  • "Tested" means a dated tabletop with a defensible record
  • The drafting and consistency work done by the platform, not your team
  • Audit-ready evidence available the moment it's asked for
Why trust a platform you haven't heard of yet

Built where the resilience rules are hardest — now mapped to yours.

CoverageMore than enough for Reg S-P, where it counts

Resilis more than satisfies the operational-resilience core of Reg S-P — incident response, recovery, service-provider oversight, testing, and the evidence behind them. The same engine was built for Europe's NIS2 and DORA, and maps cleanly onto the BCP, DR, and incident-response provisions of NYDFS Part 500. Resilis is the operational-resilience layer; it works alongside your controls for access, encryption, and the rest of the security stack.

Security postureThe substance is already here

Resilis runs on infrastructure independently certified to ISO 27001, HDS and PCI-DSS — encryption in transit and at rest, least-privilege access, strict tenant isolation, 24/7 monitoring, and daily backups with tested restoration. SOC 2 is underway. And Resilis runs separately, by design, from the systems it protects — so when your own environment is under attack, the platform coordinating the response is the one still standing.

ISO 27001 HDS PCI-DSS SOC 2 · underway
A human, not a funnelYour first conversation is with an independent advisor

An independent advisor who works alongside Resilis on its US expansion — eighteen years in global-bank COO offices running regulatory remediation and Dodd-Frank implementation at regulated financial institutions. They've been on the side of the table that assembles the evidence when a regulator comes, and know what holds under that pressure. Not a compliance advisor, and this isn't compliance advice — an operator showing you how this evidence is typically examined.

Why now

On 17 November 2025 the SEC's Division of Examinations published its 2026 priorities. Reg S-P incident-response programs are named on the list — after the compliance date, examiners will assess whether your program is reasonably designed to detect, respond to, and recover from unauthorized access to customer information. The exam is the mechanism; a finding is how a paper program stops being quietly fixable.

SEC FY2026 Examination Priorities (PDF)

Twenty minutes on what an examiner actually asks you to show.

Not a demo, and not a compliance assessment — a working session on evidence. Reg S-P isn't examined on whether you have a program; it's examined on what you can produce. You'll leave knowing which artifacts you could pull today and which you'd be reconstructing under pressure.

Book the review