SEC Regulation S-P June 3 2026: How to Archive Your Incident Response Plan as PDF

TL;DR

June 3, 2026 is the compliance deadline for smaller financial-service entities covered under amendments to the SEC's Regulation S-P (the rule that governs how broker-dealers, investment advisers, and other registered entities protect customer information and notify them after a data breach). Larger firms hit their deadline in December 2025; smaller firms get the extra time but the clock has run out. Your incident response plan (IRP) — written response procedures for unauthorized access — must be documented, archived, retrievable, and actually used during an incident. Convert: Web to PDF is the free Chrome extension that turns your live IRP wiki, runbook portal, or training pages into local, audit-grade PDFs the SEC examiner can read offline.

What changed in Regulation S-P

The amendments adopted by the SEC in 2024 added explicit requirements to the long-standing Rule 30 of Regulation S-P. Key changes:

Written policies and procedures for an Incident Response Program (IRP)
A customer notification requirement — affected individuals must be notified "as soon as practicable, but not later than 30 days" after the firm determines that sensitive customer information has been (or is reasonably likely to have been) accessed or used without authorization
Service-provider oversight — third parties handling customer information must be subject to written contracts ensuring they can detect, respond to, and recover from incidents
Records retention for IRP-related documentation under Rule 17a-4 and 204-2

Larger entities (broker-dealers with > $5B in assets and investment advisers > $1.5B) had until December 3, 2025. Smaller entities have until June 3, 2026. After June 3, every covered firm — regardless of size — is fully on the hook.

What "documented, archived, retrievable" means in practice

An IRP isn't a single document. It's a constellation of artifacts:

Artifact	Where it usually lives	Why archive as PDF
Written IRP policy document	Confluence, SharePoint, Notion	Auditor wants the version active on a specific date
Incident classification matrix	Wiki, internal portal	Versioning evidence
Notification template (customer-facing)	Marketing/legal portal	Show consistency with what was sent during an incident
Roles & responsibilities chart	HR or compliance portal	Person-X-was-CISO-on-date-Y evidence
Vendor / service-provider contracts	Contract management system (Ironclad, Concord, DocuSign)	The IRP-related clauses, frozen at signing date
Tabletop exercise summaries	Internal blog, training portal	"Did you actually rehearse?" evidence
Training-completion records	LMS (Workday Learning, Cornerstone)	Per-employee attestation
Third-party security questionnaire responses	Vendor-management platform	Service-provider oversight evidence
Detection / response tooling configuration	SIEM, EDR	The state at incident time
Post-incident root-cause analyses (if any)	Confidential internal wiki	Both the report itself and the date it was written

The auditor will ask: "Show me the version of your IRP that was in effect on [date]." If your only copy is the live wiki page, you can't. Locally-captured PDFs are how you answer that question in 10 seconds.

The "archive your live policy" workflow

Capture each of the above as PDF on the day it's published or updated. Re-capture on every revision.

Step 1 — list every page that comprises your IRP

For most firms, this is 15-40 pages across multiple internal platforms. The list should live somewhere stable (a simple Markdown file in your compliance repo) and be reviewed quarterly.

Step 2 — capture each page with the extension

Install Convert: Web to PDF. For each page:

Click the extension icon
Optional: Article Mode to strip wiki navigation chrome
Preview, download

The PDF has: selectable text, working hyperlinks (to other internal docs), the URL and timestamp in the header.

This is the only common workflow that works on internal portals — Confluence, SharePoint, Notion, custom internal wikis. Online URL-to-PDF tools (PDFCrowd, Smallpdf web converter, iLovePDF) can't access these pages because they're behind your SSO. The extension reads from your authenticated browser session via Chrome's DevTools Protocol.

Step 3 — file by quarter + artifact type

Naming structure:

irp-archive/
  2026-Q2/
    01-policy/
      irp-master-policy-v3.2-2026-06-04.pdf
      classification-matrix-2026-06-04.pdf
    02-procedures/
      detection-runbook-2026-06-04.pdf
      escalation-flowchart-2026-06-04.pdf
      ...

Versioning matters. When the master policy goes from v3.2 to v3.3, capture v3.3 and keep v3.2 on file.

Step 4 — re-capture quarterly + on every revision

Quarterly cadence handles routine updates. On-revision capture handles material changes (new tooling, new vendor, new C-level appointment with IRP responsibilities). Both go in the archive.

Step 5 — merge into a quarterly "examiner package"

Use Convert: Anything to PDF to merge the quarter's IRP artifacts into a single bound PDF. Cover page + table of contents + each artifact as a section. When an examiner asks for the IRP as of the end of Q2 2026, you hand them one file.

Why local-only PDF generation matters for Reg S-P specifically

The IRP itself contains material non-public information about your security posture — the gaps you've identified, the playbooks you'd use, the third-party vendors you rely on, the names of people who would respond. Routing those documents through a third-party "online PDF converter" service is exactly the kind of inadvertent disclosure the rule is trying to prevent.

The local-only conversion model:

The extension makes zero network requests during conversion
Your IRP content never leaves your browser
No third-party server logs, no temporary file storage, no risk of inadvertent retention

Compare this to a typical web PDF converter:

Step	Web converter (e.g. random "url to pdf" site)	Convert: Web to PDF
You paste a URL or upload an HTML export	Sent to their server	(no upload)
Their server fetches the URL	Logs the URL + your IP	N/A
Their server renders the PDF	PDF sits on their disk	N/A
You download the PDF	Their server retains for "up to 24h"	N/A
Total third-party disclosure	The entire IRP content, your IP, your network identity	None

For sensitive financial documents, the answer is local generation. Always.

How a Reg S-P examiner reviews your archive

Examiners aren't reading every page. They're sampling. The flow is something like:

"Show me your current written IRP." → master policy PDF
"When was this last updated, and what was the prior version?" → file metadata + previous-version PDF
"Walk me through how an incident would flow." → escalation flowchart PDF
"Who would lead it?" → roles chart PDF
"Pick a vendor at random — show me the security clauses in their contract." → contract PDF
"Did you run a tabletop in the past 12 months?" → tabletop summary PDF
"Train your incident commanders annually?" → LMS completion report PDF
Sample an actual incident (real or simulated): "Show me the artifacts." → incident folder

Every "show me" is a PDF retrieval. If retrieval takes you longer than 2-3 minutes per item, the examiner notices.

Customer notification: the 30-day timer

The new rule is strict on the 30-day customer-notification window. Two implications for archiving:

Pre-incident: notification template

Have the customer-notification letter (or email) drafted, reviewed by counsel, and archived as PDF before any incident. When an incident hits, you fill in the variables — you don't draft from scratch. The blank template PDF lives in your IRP archive.

Post-incident: what was actually sent

Capture the as-sent customer notification — the actual email, the actual portal banner, the actual phone-script if used. As-sent communications are what regulators compare against the template; deviations matter. The Convert: Web to PDF extension can capture an internal admin view of "this is what we emailed customers" for the archive.

Service-provider oversight: a PDF-heavy task

The amendment requires written contracts with service providers covering incident response. In practice that means:

Your contracts vary in age — some predate the requirement, some don't
The IRP-relevant clauses need to be inventoried
The inventory needs to be dated and refreshed

Workflow:

Pull each tier-1 service provider's contract (in your CLM)
Identify the security/incident-response clauses
Capture those clauses as PDF extracts (highlight + export from CLM, or screenshot + convert to PDF)
Build a clause-inventory spreadsheet: vendor × clause × contract effective date × renewal date
Re-capture annually or on every contract renewal

For vendors without compliant clauses, the amendment effectively forces a contract amendment. Track which amendments are signed, which are pending, which are blocked.

Tabletop and training: prove you did it

The rule doesn't mandate a specific tabletop frequency, but absence of any tabletop will draw examiner attention. Annual is the floor for most firms; semi-annual is reasonable for larger or higher-risk firms.

Each tabletop should produce:

An agenda (PDF)
A scenario document (PDF, often confidential)
A list of participants (PDF)
A debrief / lessons-learned summary (PDF)
Action items with owners and due dates (tracked in your IRP improvement log)

Capture all of these as PDF. The participants list is sometimes the single most asked-for item — "who attended your most recent IRP tabletop" is a standard examiner question.

Mistakes to avoid

Capturing only the master policy

Auditors want the surrounding procedural artifacts too — runbooks, escalation flows, training records. The policy alone is 5% of the IRP archive.

Letting the archive go stale

A quarterly cadence prevents the awkward moment when v3.5 of the master policy is live but v3.2 is the most recent file in your archive. Set a calendar recurrence.

Skipping service-provider artifacts

The service-provider oversight requirement is one of the more enforcement-relevant pieces of the amendment. Don't underinvest here.

Using an online URL-to-PDF tool for sensitive content

As above — routes your IRP through someone else's server, with logging you don't control.

Relying on "the wiki has version history"

Examiners want a fixed artifact, not a wiki diff URL. The PDF is the artifact.

Not testing retrieval

Run a quarterly drill: "examiner asks for IRP as of [date], show me in 2 minutes." If you can't, fix the archive structure before you have to.

Cross-references to other regulations

Reg S-P doesn't sit alone. Same archive structure serves multiple frameworks:

NYDFS Cybersecurity Regulation (23 NYCRR 500) — overlapping IRP and notification requirements
GLBA Safeguards Rule — written information security program requirements
State data-breach notification laws — 50+ overlapping triggers and timelines
HIPAA Security Rule (if you have hybrid healthcare data)
PCI DSS (if you process card payments)

One PDF archive per artifact, mapped to multiple framework citations, beats parallel archives per framework.

A note on AI-assisted IRP drafting

Several firms are experimenting with AI-drafted IRP procedures in 2026. Caveats:

Don't paste sensitive IRP content into a public-tier LLM
Use enterprise-tier AI services with data residency and contractual restrictions on training
Always have counsel review AI-drafted policies; "generic IRP template from GPT" is not a defensible artifact
Capture both the AI prompt and the human-reviewed output for the archive

The IRP archive is one place where the safest pattern is fully manual review, locally-rendered artifacts. The cost of a bad day-1 audit moment far exceeds the cost of writing the policy by hand.

For a parallel use case — tracking which AI engines actually understand financial regulatory content — you can use ScrapeMaster to pull AI Overview citations on Reg S-P queries and see which sources Google trusts. (Different tool; same studio.)

Frequently asked questions

Q: We're a small RIA — does the June 3 deadline really apply to us?

If you're registered with the SEC (or in some cases state-registered with parallel local rules) and you handle non-public customer information, the answer is almost always yes. Talk to counsel for entity-specific advice, but assume yes and prepare accordingly.

Q: Does the rule require the IRP to be in PDF specifically?

No — the rule requires written policies and procedures; format isn't prescribed. PDFs are convenient for archive purposes because they're frozen, portable, and viewer-agnostic. Many examiners specifically request PDFs.

Q: Can I just use Confluence / SharePoint's built-in export?

You can — but those exports often strip formatting, miss embedded diagrams, or produce per-page PDFs that don't reflect the document the way it looked in the browser. The Convert: Web to PDF extension captures the rendered view, which is closer to what the policy author intended.

Q: How do I prove the PDF was captured on the date I claim?

Three layers: the PDF header (URL + capture timestamp), your file system metadata (creation date), and an external timestamp source (a hash committed to your version control on a known date, or an RFC 3161 timestamp). For most examiner queries the header timestamp is enough.

Q: What about pages that have access controls — only the CISO can see the playbook?

Same workflow. As long as the CISO can see the page in their browser, the extension can convert it. Sensitive playbooks should still be access-controlled in your archive.

Q: Do contracts need to be archived separately, or is the CLM the system of record?

The CLM is the system of record for the contract; the IRP archive should include extracts showing the IR-relevant clauses (with version + signing date metadata). For the rare examiner request, the CLM is the source of truth.

Q: What's the retention period?

Under SEC Rules 17a-4 (broker-dealers) and 204-2 (investment advisers), most IRP-related records require 3 to 6 year retention, with the first 2 years in an easily accessible place. Some firms retain longer for litigation hold or insurance purposes.

Q: Can we use an enterprise document-management system instead?

Yes — many firms use NetDocuments, iManage, M-Files, or similar. The capture-as-PDF step is the same; the storage destination differs. The point is consistent, dated, version-controlled snapshots.

Q: Is there a way to detect changes to the live wiki pages automatically?

Confluence and SharePoint have webhook / RSS-style change-event APIs. For low-volume IRP wikis, manual quarterly recapture is usually enough; for high-volume changes, set up alerts and re-capture event-driven.

Q: What about the customer-notification template — does it need preapproval by counsel?

Yes, every template that may go to customers should be pre-reviewed by counsel and updated for the actual incident before sending. Archive both the blank template (pre-approved) and the as-sent version after each incident.

Q: How does this overlap with our existing SOC 2 Type II audit work?

Significantly. The IRP, training records, and service-provider oversight evidence map directly to SOC 2 CC7 (System Operations) and CC9 (Risk Mitigation) controls. One archive, multiple framework citations.

Q: How long does the initial archive build take?

Most small firms can build a complete first-cut archive in 4-8 hours over 1-2 days. The hard part isn't capture — it's deciding which pages comprise the IRP and getting consensus on classification.

Bottom line

The June 3, 2026 Reg S-P deadline is here. Your incident response plan needs to be documented, archived, dated, and retrievable — and the safest way to capture it is locally, never routing sensitive policy content through a third-party converter. Convert: Web to PDF generates real PDFs (selectable text, working links, timestamp + URL header) from any page you can see in your browser, including SSO-gated internal wikis. Free, local, zero network requests during conversion. Pair with Convert: Anything to PDF for merging quarterly examiner packages. Build the archive, drill the retrieval, and the next examiner conversation gets easier.