The New Cybersecurity Examination Reality for RIAs

What the SEC Is Asking for and What Your Firm Must Be Prepared to Deliver

‍Executive Summary

Cybersecurity oversight for Registered Investment Advisers (RIAs) has transitioned from best-practice guidance to structured regulatory enforcement based on regulatory change and a heightened risk environment.  

Recent SEC examination letters demonstrate that cybersecurity is beyond an ancillary inquiry, it is now a detailed, documentation-heavy review of governance, risk management, vendor oversight, and incident preparedness. Firms are being asked to produce detailed written policies, organizational charts showing cybersecurity responsibility, documented risk assessments, inventories of nonpublic personal information (NPI), vendor contracts, penetration testing reports, and records of any cybersecurity incidents.  

The regulatory bar has shifted from “Are you secure?” to “Show us exactly how you know,” via proof of control testing, proof of vendor governance, and proof of incident readiness. This paper outlines the SEC’s top cybersecurity focus areas, explains why scrutiny has intensified, and provides practical guidance for RIAs seeking defensible readiness.

Governance and Documentation: Proving Control Exists

SEC examinations now begin with structure. Firms are expected to designate and document cybersecurity oversight, whether through a Chief Information Security Officer (CISO) or a clearly assigned responsible party. Examiners are requesting organizational charts that reflect cybersecurity accountability and reporting lines. 

In addition, RIAs must maintain comprehensive, written cybersecurity policies that address data protection, remote office safeguards, encryption standards, access controls, and incident response protocols. These policies must be tailored to the firm’s operations, updated regularly, and mapped to applicable regulatory requirements. Generic templates are increasingly viewed as insufficient.

Equally critical is maintaining a formal, documented cybersecurity risk assessment. The SEC now expects firms to identify threats, assess likelihood and impact, evaluate control effectiveness, and document remediation steps. An informal annual discussion will not withstand scrutiny, as evidence of structured analysis is required.

Firms must also maintain a complete and current inventory of where client NPI resides. This includes internal systems, cloud platforms, custodial portals, CRM platforms, and any third-party vendor systems that store or transmit client information. Without this visibility, firms cannot credibly demonstrate protection.

Technical Controls: Demonstrating Operational Safeguards

The SEC’s inquiries increasingly move beyond policy into operational testing and control evidence. Firms are expected to enforce multi-factor authentication across critical systems, maintain strong password complexity and change requirements, and implement lockout thresholds for failed login attempts.

Penetration testing and vulnerability scanning have become baseline expectations. Examination letters now ask directly whether these are conducted and at what frequency. A firm should be prepared to demonstrate routine testing, documentation of findings, and evidence of remediation.

Encryption of devices, particularly laptops and remote-access endpoints, is essential. Data loss prevention measures and privileged access management practices should also be documented. The SEC may request records of recent user access changes, demonstrating that offboarding and permission updates are timely and controlled.

Vendor Oversight: Third-Party Risk Is First-Party Risk

The regulatory posture is clear that reliance on vendors does not shift responsibility. Examination letters now require firms to produce a full list of vendors with access to systems or NPI, identify whether contracts are active, and confirm whether cybersecurity terms are included in those agreements.

Firms must demonstrate that they conduct due diligence prior to onboarding vendors and maintain oversight throughout the relationship. This includes reviewing SOC reports where applicable, assessing vendor breach notification obligations, and tracking which vendors have system-level access. Third-party risk management must be documented, repeatable, and reviewable, and not merely implied.

Identity Theft Controls and Fund Transfer Safeguards

Under Regulation S-ID, firms must maintain policies and procedures to detect, prevent, and mitigate identity theft. The SEC is paying particular attention to business email compromise (BEC) and fraudulent fund transfer attempts. Examination letters request documentation of the firm’s process for verifying client instructions and authenticating transfer requests.

This means firms should have clearly defined callback procedures, dual controls for wire transfers, escalation frameworks for suspicious requests, and training records demonstrating employee awareness. These controls must be more than stated, they must be documented and defensible.

Incident Response and Reporting: Preparing for the Inevitable

The SEC now expects firms to provide detailed information about any cybersecurity incidents, including ransomware events, vendor compromises, phishing-related breaches, or fraudulent transfers. Examiners request the timeline of events, client impact, funds lost, insurance claims, and copies of client notifications where applicable.

Accordingly, firms must maintain a written incident response plan, conduct periodic tabletop exercises <link to Tabletop Exercises> document any event regardless of severity, and preserve communication logs related to cybersecurity events. Preparation reduces chaos in the moment and demonstrates governance under scrutiny.

Annual Reviews and Ongoing Testing

Under Rule 206(4)-7, RIAs are required to conduct and document annual compliance reviews. Increasingly, the SEC expects to see evidence that cybersecurity controls were included in this review process. Firms should maintain documentation of testing, risk reassessment, and updates to policies or procedures.

If a firm has conducted mock examinations or engaged outside consultants for preparedness assessments, maintaining copies of these reports can further demonstrate seriousness and proactive governance.

‍