On June 3, 2026, the SEC’s amended Regulation S-P rules took effect for smaller registered investment advisers, the firms managing under $1.5 billion in client assets. Most of the compliance officers Adelia Risk talks to spent the run-up to that deadline focused on written policies and vendor contracts. The gap we see most often in RIA cybersecurity is quieter than that. It’s the default Mail app on an advisor’s personal iPhone.
Picture a common setup. An advisor adds their work email to the iPhone’s built-in Mail app because it’s already there, and it just works. Months later, the phone is lost or left in the back of a rideshare. Client names, account details, and message history are sitting in that app, and the firm has no way to remotely wipe it or to prove it was wiped.
Why Apple Mail Specifically
That last part is the whole problem.
Microsoft offers app-level security controls called Mobile Application Management, or MAM. MAM lets a firm wipe work data from a phone without touching the employee’s personal photos, texts, or apps. We’ve written a full walkthrough on setting up MAM without the creepy factor. But MAM only works on apps built to support it. Outlook is built for it. Apple’s built-in Mail app is not.
So if work email lives in Outlook, the firm can remove just the work data from a lost phone and show in Microsoft’s admin console that it happened. If that same email lives in Apple Mail, there is no equivalent. You cannot selectively wipe it, and on a personal phone, you usually cannot say anything reliable about it at all.
The Reg S-P Connection
Here’s where Regulation S-P comes in. The amended rule requires covered firms, RIAs included, to notify affected clients as soon as practicable, and no later than 30 days, after the firm becomes aware that sensitive customer information was, or was reasonably likely to have been, accessed without authorization.
A lost phone is not automatically a reportable breach. The rule gives you an off-ramp: if you investigate and reasonably determine the information was not, and is not likely to be, misused in a way that causes harm, you do not have to send notices.
But notice what that off-ramp depends on. To say the data is not likely to be misused, you have to be able to say something about what happened to it. With Outlook and MAM, you can. You wiped the work data, and here’s the record. With Apple Mail on a personal phone, you often can’t. No wipe, no record, and no honest way to reach “not likely to be misused.” The built-in Mail app quietly talks you out of your own best defense.
The Two Honest Choices
This leaves RIAs with two real options for work email on personal phones.
The first is full device management, usually called MDM, where the firm manages the entire phone and can wipe anything on it, including Apple Mail. It gives you the most control. The tradeoff is that employees feel it. The firm now manages its personal devices, and some will push back. We’ve covered how MDM works and where it fits if that’s the direction you lean.
The second option is app-level management, using MAM with Outlook. On a personal phone (a bring-your-own-device, or BYOD, setup), the firm controls only the work data inside Outlook, and can wipe and document just that. Personal data stays untouched. The condition is that work email runs through Outlook, and the built-in Mail app stays off the table for firm email.
Both are legitimate. The mistake is not choosing at all. You let people wire up whatever mail app they like, and assume it’s covered.
The Fix Is Small. The Failure Is Not.
This is why we keep coming back to it. For most RIAs, the fix is one line in your mobile device acceptable use policy (work email on personal phones goes through Outlook, not the built-in Mail app), plus the time it takes to turn MAM on. The expensive version is the conversation where you explain to a client, or to an SEC examiner, why you couldn’t account for their data after a phone went missing.
If you’re not sure which path fits your firm, that’s exactly the kind of call Adelia Risk’s RIA cybersecurity service helps RIAs make. And if you want the technical walkthrough, start with our guide to setting up MAM without the creepy factor.
When Adelia Risk Helps
Adelia Risk helps RIAs and other regulated businesses implement practical mobile security controls that protect client data without turning personal devices into company-managed assets. We help firms evaluate BYOD risks, deploy Microsoft Intune Mobile Application Management (MAM), document selective wipe procedures, and align mobile access controls with regulatory requirements like Regulation S-P. If you’re not sure whether Apple Mail, Outlook, MAM, or full device management is the right fit for your firm. If you want a second set of eyes on your mobile security strategy, our Virtual CISO service is built for exactly that work.
