7 Questions to Ask Your MSP Before the Reg S-P Deadline

Why these questions matter right now

The SEC's amended Regulation S-P introduced specific requirements for incident response, breach notification, and vendor oversight that most MSP contracts simply do not address. The compliance deadline is approaching, and the gap between what your MSP does and what the SEC expects your firm to document is where examination findings live.

These are not gotcha questions. They are practical tests of whether your MSP relationship is structured for the regulatory environment you actually operate in. If your MSP can answer all seven, you probably have a solid partner. If they cannot, you need to know that before the SEC asks.

1. "Have you read SEC Regulation S-P?"

Start here. If your MSP has not read the regulation they are supposed to help you comply with, everything downstream is built on guesswork.

Why it matters

Reg S-P governs how registered investment advisers protect customer information. The 2023 amendments added requirements for written incident response plans, breach notification timelines, and oversight of service providers. An MSP that has not read the regulation does not know what "compliant IT" actually means for your firm.

What a good answer sounds like

"Yes. We reviewed the amended rule and updated our service agreements to address the new incident response and notification requirements." Bonus if they can name a specific provision — like the 72-hour notification window or the written IRP requirement.

What a bad answer reveals

Hesitation, a vague "we follow best practices," or an honest "no" all tell you the same thing: your MSP is providing generic IT services, not compliance-aware support. Best practices are not a regulatory standard. The SEC examines against the rule, not against industry norms.

What to do if they can't answer

Send them the rule. It is publicly available on the SEC website. Give them a reasonable deadline to review it and come back with a plan for how their services map to the requirements. If they are not interested in reading it, that tells you where compliance falls on their priority list.

2. "Does our contract include a 72-hour breach notification clause?"

Amended Reg S-P requires firms to notify affected individuals within a specific timeframe after discovering a breach. Your MSP holds the keys to your environment. If they get breached and take a week to tell you, your notification clock has already run out.

Why it matters

Most MSP contracts were signed before the Reg S-P amendments. They typically include a vague "reasonable notification" clause, or no notification clause at all. The SEC does not care what your MSP contract says — it cares whether your firm met its notification obligations. If your MSP delayed telling you about an incident, that is your firm's problem on the exam report.

What a good answer sounds like

"Yes. Our contract requires us to notify you within 24 hours of discovering any security incident that could affect your environment or client data, and we will cooperate with your notification process." The tighter the timeline, the better. 24 hours gives you time to assess and still meet your own obligations.

What a bad answer reveals

"We'll let you know as soon as possible" is not a contractual commitment. "We'd have to check the contract" means nobody has reviewed it for this requirement. Either answer means your breach notification compliance is currently unprotected.

What to do if they can't answer

Pull your MSP contract and read the notification provisions yourself. If they are vague or missing, draft an amendment with a specific timeline and escalation process. This is a negotiation, not a request — your firm's compliance depends on it.

3. "Is DMARC configured on our domain?"

DMARC (Domain-based Message Authentication, Reporting, and Conformance) prevents attackers from sending emails that look like they come from your firm. It is a basic email security control that 83% of RIAs do not have configured.

Why it matters

If someone can spoof your domain and send phishing emails to your clients, that is a safeguard failure under Reg S-P. Your MSP manages your email infrastructure. Setting up DMARC, SPF, and DKIM is a standard configuration task that should have been done on day one. If it was not, it raises the question: what other basic controls are missing?

What a good answer sounds like

"Yes. DMARC is set to enforcement mode (quarantine or reject), and we monitor the aggregate reports for spoofing attempts." Even better if they can show you the DNS record.

What a bad answer reveals

"What is DMARC?" is disqualifying for any MSP serving financial services. "We set it to 'none'" means it is configured but not actually protecting anything — monitoring mode without enforcement is a half-measure. "I'd have to check" likely means it is not configured.

What to do if they can't answer

Run a free security scan on your domain right now. It takes 30 seconds and will show you your DMARC status along with other email security controls. If DMARC is missing, your MSP should implement it this week — it is a DNS record change, not a major project.

4. "Can you produce an audit-ready report of our security controls?"

SEC examiners do not want to log into your MSP's dashboard during an exam. They want documentation — written policies, evidence of implementation, and records of ongoing monitoring.

Why it matters

Most MSPs can show you an RMM (remote monitoring and management) dashboard with patch status and ticket histories. That is operational data, not compliance documentation. Reg S-P requires your firm to maintain written policies and procedures for safeguarding customer information. If your only evidence of security controls lives inside your MSP's tools, you do not actually have audit-ready documentation.

What a good answer sounds like

"Yes. We produce quarterly security reports that document patch compliance, endpoint protection status, access control reviews, and incident logs. We can export these in a format your compliance team can archive."

What a bad answer reveals

"You can log into our portal anytime" shifts the documentation burden back to you and does not produce the kind of artifact an examiner expects. "We can pull something together" means it does not currently exist, and scrambling to create documentation during an exam is not a strategy.

What to do if they can't answer

Define what you need: a written summary of security controls in place, evidence that they are functioning (logs, scan results, patch reports), and a format you can store in your compliance files. If your MSP cannot produce this as part of their standard service, you need a compliance layer on top of what they provide.

5. "Do you have an incident response plan that covers OUR regulatory obligations?"

Your MSP has an incident response plan. It covers their operations, their clients broadly, and their own business continuity. It almost certainly does not address your firm's specific obligations under Reg S-P.

Why it matters

Amended Reg S-P requires your firm to maintain its own written incident response plan — one that covers detection, assessment, containment, notification, and recovery specific to your operations and regulatory requirements. Your MSP's IRP is about restoring your servers. Your IRP is about meeting your legal obligations to clients and regulators while your servers are being restored.

What a good answer sounds like

"Our IRP covers the technical response. We've also worked with your compliance team to make sure our escalation procedures feed into your firm's regulatory notification process. Here is how the two plans connect."

What a bad answer reveals

"We have an incident response plan" without any mention of your firm's regulatory requirements means they are solving the IT problem but not the compliance problem. Your servers might come back online, but if nobody triggered your firm's notification process, you have a regulatory violation on top of a security incident.

What to do if they can't answer

Your firm needs its own IRP that is separate from — but coordinated with — your MSP's technical response plan. The two plans should define handoff points: when your MSP detects an incident, who do they call at your firm, what information do they provide, and what is the timeline? Build this coordination into your contract.

6. "Are you helping us track vendor risk for ALL our service providers?"

Reg S-P requires oversight of service providers who access customer information. That includes your custodian, your financial planning software, your CRM, your cloud storage — and your MSP themselves.

Why it matters

Your MSP has a conflict of interest here. They are one of your vendors, and vendor risk management means evaluating their security posture alongside everyone else's. Most MSPs will help you manage other vendors but quietly exclude themselves from the assessment. That blind spot is exactly the kind of thing an SEC examiner will notice.

What a good answer sounds like

"Yes. We help you maintain a vendor inventory and track risk assessments for your key service providers. And we include ourselves — here is our SOC 2 report and our own security documentation for your vendor files."

What a bad answer reveals

"We manage your IT vendors" is not the same as vendor risk management. If they cannot produce their own security documentation for your vendor risk file, they are asking you to trust them without evidence — which is not a defensible position during an exam.

What to do if they can't answer

Start a vendor inventory. List every service provider that touches client data. For each one, document what data they access, what security commitments they have made, and when you last reviewed those commitments. Your MSP should be the first entry on that list, not the one managing it from outside the list.

7. "What's your plan if YOU get breached?"

This is the question most CCOs never think to ask, and it is the one that matters most. Your MSP has privileged access to your environment — admin credentials, remote management tools, direct access to your systems. If they get compromised, you get compromised.

Why it matters

Third-party breaches have doubled, rising from 15% to 30% of all breaches. MSPs are high-value targets precisely because compromising one MSP gives attackers access to every client that MSP manages. The Kaseya attack in 2021 demonstrated this at scale. Your MSP is not just a vendor — they are a breach vector with the keys to your kingdom.

What a good answer sounds like

"We have a tested incident response plan that includes immediate client notification. We carry cyber insurance. We can isolate affected client environments independently. Here is the specific process we follow if our own systems are compromised." Ask for it in writing.

What a bad answer reveals

Defensiveness ("That won't happen to us") is the worst possible answer. Vagueness ("We have security measures in place") is nearly as bad. Any MSP that cannot articulate what happens when their own defenses fail has not thought seriously about the scenario — which means they are not prepared for it.

What to do if they can't answer

Request their incident response plan and their cyber insurance certificate. Ask when their plan was last tested. If they do not have a plan, do not have insurance, or have never tested their response, you are carrying risk you did not agree to. Factor this into your vendor risk assessment and your own IRP.

The conversation this starts

These questions are not designed to embarrass your MSP. They are designed to surface gaps before the SEC does. A good MSP will appreciate the conversation — it gives them a chance to step up and differentiate themselves. A mediocre MSP will get defensive. That reaction is information too.

The goal is not to fire your MSP. It is to make sure the relationship is structured for the regulatory environment your firm actually operates in. If your MSP can answer all seven questions with specifics, you are in better shape than most. If they cannot, you now know exactly where the gaps are and what needs to change.

Forward this to your MSP today. Their answers will tell you whether you have a compliance partner or just an IT vendor.