Back to Blog
Financial Services16 min read

RIA Cybersecurity in 2026: What SEC Examiners Actually Look For (and How to Pass Without Drama)

A

Alexander Sverdlov

Security Analyst

5/14/2026
RIA Cybersecurity in 2026: What SEC Examiners Actually Look For (and How to Pass Without Drama)

RIA Compliance · Cybersecurity · May 2026

RIA Cybersecurity in 2026: What SEC Examiners Actually Look For (and How to Pass Without Drama)

A practical guide for Principals and Chief Compliance Officers at Registered Investment Advisers. What changed in Reg S-P, why your last cyber audit may have given you a false sense of security, and the 12-item checklist that decides whether the next SEC exam is a routine visit or a 90-day remediation order.

RIA Cybersecurity at the SEC Examination Crossroads Three things converge in 2026 for every RIA Reg S-P amendments In force since 2024 SEC exam priorities Cyber on every cycle $1.2M average BEC loss at an RIA in 2025 Real-world losses Wire fraud + ransomware Regulatory pressure, examiner attention, and the actual threat all peak at the same time.

Key Takeaways

  • Reg S-P amendments that took effect in 2024 require RIAs to notify affected individuals of a breach within 30 days, with documented incident response procedures and vendor oversight. Most RIAs we work with are not actually compliant; they just have not been examined yet.
  • SEC examiners now ask the same eight cyber questions in nearly every exam. None of them are about firewalls or antivirus. They are about governance, vendor oversight, incident response, and the CCO's actual day-to-day program management.
  • The $1.2M median wire fraud loss at RIAs in 2025 came from social engineering of client wire instructions, not from technical compromise. Your firewall did not let you down; your callback procedure did.
  • Custodian relationships (Schwab, Fidelity, Pershing) carry contractual security obligations that flow down to you. If you have not read the latest version of your custodian's vendor security expectations recently, you are exposed.
  • For a 25-person RIA, a genuinely defensible cybersecurity program costs $40K to $90K in year one and $24K to $48K per year ongoing. Less than that means you are buying compliance theater. More than that for a firm this size means you are being oversold.
  • The 12-item CCO checklist at the end of this post is what we use when an RIA hires us before an SEC exam. Run through it before your next examination notice arrives.

Last quarter we got a call from the Chief Compliance Officer of a Greenwich, Connecticut RIA managing $640M for 180 households. Their SEC examination notice had arrived 96 hours earlier. The document request listed 47 items. Item 23 read: "Provide your cybersecurity policy, evidence of testing within the past 18 months, incident response procedures, and a summary of any reportable events under Reg S-P during the examination period."

They had a cybersecurity policy. They had paid for it in 2023. The policy was a 38-page document that read like it was written for a Fortune 500 bank. None of the procedures it described had actually been implemented. The Reg S-P language referred to the old version of the rule. There was no incident response test, no vendor risk register, and the CCO had never seen the policy until that morning.

We had nine business days. The exam concluded without findings. Below is the playbook we used, with the understanding that not every reader has nine days. Some have nine weeks. Some have nine months. The earlier you start, the smaller the panic.

📝

Step One

The Eight Questions SEC Examiners Actually Ask About Cyber

SEC examinations have evolved. A decade ago, the cyber portion was light, sometimes a single bullet on the document request. Today, examiners working under the Division of Examinations' annual priority statement walk in with a structured set of questions and they expect documented answers. The same eight questions show up in nearly every exam we have helped clients prepare for in the past 24 months.

Eight SEC cybersecurity examination questions The Eight Cyber Questions on Every Recent RIA Exam None are about firewalls. All are about program governance. 1. Who owns the cybersecurity program? "Show me an org chart with named individuals, reporting lines, and frequency of board updates." Right answer is a person, not a vendor. 2. How do you classify and protect client data? "Walk me through where account numbers, SSNs, and beneficiary data live, and who can access each." Right answer includes a data map. 3. How do you onboard and monitor vendors? "Show me your vendor inventory, due diligence questionnaires, and SOC 2 reports for critical ones." Right answer is a populated register. 4. What happens when an employee is offboarded? "Walk me through the last termination. Show me a checklist with timestamps and reviewer signatures." Right answer takes under five minutes. 5. How do you train employees? "Show me last year's training records, phishing simulation results, and remediation for failures." Right answer includes consequences for clickers. 6. What is your incident response plan? "When did you last test it? Who participated? What findings came out, and how were they closed?" Right answer is a tabletop within 12 months. 7. Reg S-P 30-day notification readiness "Show me the template, the legal review process, and the trigger criteria you would use." 8. How do you board-report cyber? "Show me the last four quarterly cyber updates delivered to your management committee."
Figure 1. The exact eight cyber questions we see in nearly every recent RIA examination. Questions 7 and 8 are the newest and the ones firms are least prepared for.

If you read these eight questions and your honest internal answer to any of them is "I think we have that somewhere" or "our IT vendor handles it," your exam will not go well. Examiners are explicit and patient. They will ask the same question three different ways. They will check whether the document you produce was created before or after you received the exam notice (file metadata). They have seen every shortcut, including the policy that was downloaded yesterday from a compliance website.

Step Two

Reg S-P Amendments: The 30-Day Notification Rule That Catches Everyone

In May 2024 the SEC adopted amendments to Regulation S-P that materially changed what every RIA has to do when client data is exposed. Most firms we work with first hear about these amendments through us, not through their existing compliance vendor. The two material changes:

  1. Mandatory 30-day individual notification when sensitive customer information is reasonably believed to have been accessed or used without authorization. The 30-day clock starts when the firm has determined the incident occurred, not when investigation completes. Notification content has prescribed elements.
  2. Written incident response program with documented procedures for assessing the nature and scope of an incident, containing it, preventing further unauthorized access, and notifying affected individuals. The program must be approved by the board (or equivalent) and reviewed annually.
Reg S-P 30-day notification clock Reg S-P 30-Day Notification Clock The clock starts at "reasonably believed to have occurred," not at "we are sure" T-0 Discovery Internal awareness that something happened Day 0 Determination CCO or designated officer determines a reportable event occurred Day 14 Drafting Notification language drafted, legally reviewed scope of affected confirmed Day 25 Send Notification sent to affected individuals via documented method Day 30 Deadline Hard regulatory deadline. Missing it is itself a violation independent of the breach. The trap: most CCOs assume the clock starts at "we have confirmed everything." It does not. It starts when the firm has determined an unauthorized access reasonably occurred.
Figure 2. The Reg S-P 30-day notification clock. Day 0 is determination, not investigation completion.

The practical implication is that you need three things ready before an incident occurs: an approved notification template with placeholder content (so you are filling in blanks, not drafting from scratch under pressure), a documented determination procedure that names who has authority to start the clock, and a relationship with outside counsel who can review notification language in 24 hours. If any of those three is missing, your real-world response to a breach will violate Reg S-P regardless of how well you contained the technical incident.

Step Three

The Five Attack Vectors That Actually Hit RIAs

Forget the news cycle about state-sponsored attackers and zero-day exploits. The actual attacks that have caused losses at RIA firms in the past 24 months are these five, in order of frequency:

Five attack vectors that hit RIAs Five Attack Vectors That Actually Hit RIAs in 2025-2026 By incidence, severity, and the single control that stops each 1. Wire-instruction social engineering (most common, highest median loss: $850K) Attacker compromises a client's email, sends "updated wire instructions" to the advisor, advisor processes the wire. Single control that stops it: documented out-of-band callback verification to a phone number on file, every time, no exceptions. 2. Business email compromise of the advisor's own M365 account (median loss: $340K) Attacker phishes an advisor's M365 credentials, sets up forwarding rules, sends "I am out of office, please process this transfer." Single control that stops it: MFA on M365 with FIDO2 hardware keys for advisors plus alerting on inbox-rule creation. 3. Vendor compromise feeding into your firm (third-party portfolio mgmt, CRM, planning tools) Vendor gets breached. Attacker pivots through API integrations or SSO to access your client data. Single control that stops it: critical-vendor SOC 2 review with concrete questions on incident notification and data segmentation. 4. Ransomware on the firm's own infrastructure (median loss: $180K + 14 days of downtime) Encrypted files, ransom demand. Often delivered via phishing or RDP exposed to the internet. Single control that stops it: tested offline backups + EDR with isolation capability + no RDP exposed. 5. Fake-client onboarding fraud (synthetic identity used to open and then drain accounts) Synthetic identity passes onboarding, account is funded, attacker initiates withdrawals before fraud detection. Single control that stops it: live video verification at onboarding plus 30-day cooling period before large withdrawals.
Figure 3. The five attack patterns that have caused all measurable losses at RIA firms in our caseload. Each has a single named control that prevents it.

Pattern recognition: four out of the five attacks above start with someone clicking, replying, or trusting an email. Technical controls matter, but the highest-leverage investment for an RIA is training plus procedural friction. Your callback procedure for wire changes is the difference between losing $850K and losing nothing.

🏘

Step Four

Custodian Security Expectations: The Quiet Contract You Already Signed

Your custodian (Schwab, Fidelity, Pershing, LPL, RBC, others) is not just a back office. They are a regulated counterparty whose own examiners require them to assess and manage the security of the RIA firms that custody assets with them. That requirement flows down to you through the master account agreement you signed and through periodic updates that arrive in your portal or as small-print policy notifications.

In practice, the major custodians now expect (or require) RIA firms to:

Requirement Typical timeline / format
MFA for all custodian portal loginsAlready mandatory at all major custodians. Phishing-resistant MFA (FIDO2) increasingly required for high-volume firms.
Annual cybersecurity attestationSelf-attestation form covering policies, training, vendor management, incident response. Submitted via custodian portal annually.
Wire transfer procedural controlsDocumented callback verification, dual approval thresholds, fraud monitoring integration with custodian alerts.
Incident notification within hoursIf you suspect any compromise of credentials or systems that touch the custodian, notification is expected within 24 hours, in writing.
Vendor disclosureDisclosure of third-party data processors that have access to client data or trading systems. Updated when material changes.
Employee offboarding within 24 hoursAll access to custodian portals revoked within 24 hours of separation. Documented and auditable.

The honest reality: most RIA firms we work with did not know all of these were already in their custodian contracts. The first time some of these get attention is when the custodian notifies the firm that a vendor audit will occur. By then the firm has 60 days to demonstrate compliance. With preparation, that is a routine exchange; without preparation, it can result in account-onboarding restrictions or worse.

Step Five

The 12-Item CCO Cybersecurity Checklist

This is the actual list we use when an RIA hires us to prepare for an SEC examination. It is also a defensible standing program when worked through deliberately over six months. Each item is a deliverable, not a goal. If you cannot produce the listed evidence within 30 minutes of a request, that item is not actually done.

12-item CCO cybersecurity checklist The CCO's 12-Item Cybersecurity Checklist Each item must produce evidence on demand within 30 minutes 1. Written Information Security Policy Approved by the firm's principal or board. Reviewed annually with dated signature. 2. Data inventory and classification Map of where PII, account numbers, SSNs live across systems and SaaS. 3. Vendor inventory and risk tiering Spreadsheet listing every vendor with data access, tier, last SOC 2 review. 4. Access control review (quarterly) Reviewer-signed evidence that user access was reviewed in the last 90 days. 5. MFA on all critical systems Screenshots of enforced MFA on M365, CRM, portfolio mgmt, custodian portal. 6. Employee training program Records of training completion within 12 months for every active employee. 7. Phishing simulation results Quarterly phishing test with click rates, remediation actions for repeat clickers. 8. Incident response plan + tabletop Written IRP with named roles. Tabletop exercise within last 12 months. 9. Reg S-P notification template Pre-drafted template with legal review, trigger criteria, designated decision-maker. 10. Wire-fraud control procedure Written callback procedure, dual-approval threshold, fraud-pattern training records. 11. Independent assessment Annual or biennial cyber assessment by external firm. Findings closed. 12. Quarterly board reporting Cyber update in the last four quarterly principal or board meetings.
Figure 4. The 12-item CCO cybersecurity checklist. Each row is a deliverable with on-demand evidence.
💰

Step Six

What a Defensible RIA Cyber Program Actually Costs

For a 25-person RIA managing $500M to $1.5B in AUM, our cost ranges are concrete and well-validated. Lower than this and you are paying for paperwork without controls. Higher than this for this size firm and someone is selling you enterprise tooling you do not need.

Cost category Year 1 (USD) Year 2 onwards (USD)
Initial assessment and program build$15,000 to $35,000N/A
Annual independent assessmentincluded above$8,000 to $18,000
Outsourced cyber program management (or fractional CISO)$12,000 to $30,000$12,000 to $24,000
Phishing training and simulation platform$1,500 to $4,000$1,500 to $4,000
EDR / endpoint protection$2,500 to $6,000$2,500 to $6,000
Email security (anti-phishing, BEC detection)$2,000 to $4,500$2,000 to $4,500
Backup and DR validation$3,000 to $8,000$3,000 to $6,000
Cyber insurance (commensurate, not catastrophic)$5,000 to $12,000$5,000 to $12,000
Total range$41,000 to $99,500$34,000 to $74,500

Compare against the median wire-fraud loss alone ($850K) or the average ransomware recovery cost ($180K + downtime). The program is cheaper than a single incident, and most of these line items also lower your cyber insurance premium meaningfully.

How Atlant Security Helps RIAs

SEC-Ready Cyber Programs for RIAs in 90 Days

We build defensible cybersecurity programs for RIA firms managing $250M to $5B in AUM. Reg S-P aligned policies, the 12-item CCO checklist fully populated, tabletop incident response, custodian-attestation ready, and quarterly board reporting on autopilot. Fixed pricing from $15,000 for the initial program build, with ongoing fractional CISO support starting at $1,200 per month. You pay after we deliver the report and your principal reviews it.

  • Initial program build in 90 days, fixed price from $15,000
  • Reg S-P aligned policies, notification templates, tabletop IR
  • Vendor risk register, critical-vendor SOC 2 reviews completed
  • Phishing simulation program kickoff and quarterly training
  • Quarterly board cyber updates we write and you present
  • SEC examination preparation included if exam notice arrives

Book a 30-minute call →

Frequently Asked

Questions RIA Principals Ask Us

We are a 12-person RIA. Do we really need all 12 checklist items?

Yes, in scope appropriate to your size. Items 1 through 10 are non-negotiable at any firm with discretionary authority over client funds. Items 11 (independent assessment) and 12 (board reporting) scale to your governance structure. A 12-person firm with a single managing principal still benefits from a quarterly written cyber summary to the principal; that becomes the "board" record for examination purposes.

Our IT vendor says they have us covered. Are they right?

Probably partially. IT vendors typically handle items 5 (MFA), 7 (some training tooling), and parts of items 4 (access control) and 8 (technical incident response). They do not write policies, do not perform independent assessments of their own work, do not maintain the vendor inventory of all your other vendors, do not draft Reg S-P notification templates, and do not produce board reporting. The CCO retains responsibility regardless of what the IT vendor does. Make sure the line is drawn in writing.

We just had an SEC exam. Can we relax for a few years?

No. Exam cycles are not fixed and a clean exam does not extend the next one. More importantly, the threat landscape and regulatory expectations move faster than exam cycles. Reg S-P amendments took effect between most firms' exam cycles, and the firms we worked with who did not update their programs were the ones who got findings on the next exam two to four years later.

Do we need a SOC 2 report ourselves, or just from our vendors?

RIAs generally do not need to produce their own SOC 2. SOC 2 is a vendor assurance framework used between service organizations and their customers. RIAs are typically customers in the SOC 2 universe, not service organizations. The exception is RIAs that themselves host technology used by other RIAs or institutional clients, in which case SOC 2 becomes relevant. For most RIAs, the right move is to collect SOC 2 reports from critical vendors and document review of them, not to pursue your own.

Cyber insurance: how much coverage is appropriate?

Common range for RIAs we work with is $1M to $5M in coverage, with $5M typical for firms managing $1B+ AUM. The more important variable than coverage amount is the policy's incident response retainer (which IR firm gets called and on what terms) and the exclusion list (especially social engineering and crypto-related exclusions). Read the policy with your security advisor, not just your insurance broker.

What is the first thing we should do this month?

Two things this month, in order. First, run a wire-fraud scenario through your team verbally: "A client emails to change wire instructions for a $500K outgoing transfer. Walk me through what happens next." If anyone in the room says anything other than "we call the client at the phone number we have on file, period," your firm is at risk. Second, locate your current cybersecurity policy, open it, and check the date. If it is more than 12 months old, you have a Reg S-P problem.

The RIAs that struggle in SEC examinations are not the ones with sophisticated attackers. They are the ones who treated cybersecurity as a compliance document rather than a program. The document has not been touched in two years. The procedure has not been tested. The vendor list has not been updated since three vendors ago. The training records do not exist for the three employees hired in the past 18 months.

If you are the CCO or the principal reading this and any of those sentences described your firm, you have a window. Most RIA examinations are scheduled 60 to 120 days in advance. That is enough time to operationalize the 12-item checklist if you start tomorrow. Less than 60 days is tight but workable. Less than 30 days, the right call is to bring in outside help and triage. We have done this enough times to know that nine days is doable in extremis. Sixty days is comfortable. Ninety days, with deliberate work, is the difference between an exam that lasts two weeks and one that drags into a 90-day remediation order.

Want a no-obligation review of where your firm sits against the 12-item checklist? Book a 30-minute consultation or email alexander@atlantsecurity.com directly.

Alexander Sverdlov

Alexander Sverdlov

Founder of Atlant Security. Author of 2 information security books, cybersecurity speaker at the largest cybersecurity conferences in Asia and a United Nations conference panelist. Former Microsoft security consulting team member, external cybersecurity consultant at the Emirates Nuclear Energy Corporation.