The SEC’s approach to cybersecurity has shifted dramatically over the past three years. What was once a periodic examination question has become a central focus of every review cycle — and the consequences of an underprepared program have never been higher. Our team has built and maintained cybersecurity programs at institutional investment managers, including a $9B structured credit fund operating across SEC and FCA jurisdiction. This is what we’ve learned.
What Changed in 2023
The SEC’s 2023 cybersecurity rule amendments under Regulation S-P and the new cybersecurity disclosure rules fundamentally raised the bar for registered investment advisers and broker-dealers. The most significant changes:
- Mandatory incident notification: Advisers must now notify affected individuals within 30 days of discovering a data breach involving customer information.
- Written incident response procedures: No longer optional. Every registered firm must maintain documented, tested procedures.
- Annual risk assessments: Required documentation of your cybersecurity risk assessment process, not just the output.
- Enhanced disclosure requirements: Public companies face new requirements for material cybersecurity incident disclosure within four business days on Form 8-K.
For hedge funds and RIAs, the practical implication is clear: an informal approach to cybersecurity — where controls exist but aren’t documented, tested, or reviewed on a schedule — is now a liability in examination. Examiners don’t just ask what you have. They ask for evidence of what you’ve done.
What the SEC Examines
OCIE (now EXAMS) has published its examination priorities each year since 2014, and cybersecurity has appeared on that list every year since 2015. The examination scope has expanded and become more specific. Based on our direct experience supporting hedge fund operations through SEC examinations, here is what gets scrutinized:
Written Cybersecurity Policies and Procedures
Examiners will request your written information security policy on day one of any examination. They want to see that it is comprehensive, current, and actually reflects how your firm operates. The most common gap: policies written years ago and never updated to reflect current systems, cloud environments, or remote work arrangements.
Annual Risk Assessments
Your written assessment must identify assets, threats, vulnerabilities, and the controls in place to address them. Examiners want evidence that the assessment was conducted, by whom, and what actions resulted. A risk assessment without follow-through action items is worse than no assessment — it documents that you knew about problems and did nothing.
Vendor and Third-Party Risk Management
Investment firms outsource extensively — prime brokerage technology, data providers, compliance platforms, cloud infrastructure. Each relationship represents a potential attack vector. The SEC expects you to conduct due diligence before engaging vendors and review their security posture on an ongoing basis. We’ve seen examinations go sideways specifically because a firm couldn’t produce vendor security assessments for its SaaS compliance tool.
Incident Response Planning
Your incident response plan must exist in writing, be tested, and be current. “We would call our IT consultant” is not an incident response plan. Examiners want to see: defined roles and responsibilities, escalation paths, communication procedures (including regulatory notification timelines), and evidence of tabletop exercises.
Employee Training Programs
Phishing tests, security awareness training, and new-hire onboarding are expected. Examiners will ask about training frequency and may request participation records. The bar has risen significantly since 2020 — annual training is often insufficient; quarterly or continuous training is the emerging standard.
Access Controls and Authentication
Multi-factor authentication for all remote access and email is now effectively mandatory. Examiners look for privileged access management, the principle of least privilege, and offboarding procedures. Forgotten service accounts and ex-employee access are persistent findings.
Data Encryption
Data must be encrypted in transit and at rest. Full-disk encryption on laptops, TLS for data transmission, encrypted backup storage. If your firm handles sensitive investor data — which every fund does — unencrypted storage is a serious finding.
Business Continuity and Disaster Recovery
Your BCP must be documented and tested. Examiners want to know your recovery time objectives, how backups are maintained, and whether you’ve actually exercised the plan.
The NIST Framework for Investment Advisers
The NIST Cybersecurity Framework (CSF) has become the de facto standard for investment advisers. While not legally mandated for private funds, it is the framework SEC examiners use as a reference point, and it maps cleanly to Regulation S-P requirements.
The framework organizes cybersecurity activities into five functions:
Identify — Know your assets. What systems do you have? What data do you hold? Where does sensitive investor information live? Many firms underestimate this step. A cloud-first or hybrid environment makes asset inventory genuinely difficult, but it’s the foundation everything else builds on.
Protect — Implement safeguards. Access controls, training, data security, maintenance procedures, and protective technology. This is the largest operational domain — and where most firms invest their security budget.
Detect — Know when something is wrong. Continuous monitoring, log collection, and anomaly detection. For most investment managers, this means a SIEM (like Splunk) or a managed detection service. Without detection capability, you may not know you’ve been compromised for months.
Respond — Have a plan for when something happens. Incident response planning, communications, and mitigation.
Recover — Restore operations and learn from incidents. Backup systems, recovery planning, and post-incident review.
Mapping your existing controls to this framework is a useful exercise before any examination. It surfaces gaps in a structured way and gives you language that aligns with examiner expectations.
Common Examination Findings
After years of working alongside compliance teams and outside counsel on SEC examination responses, we see the same issues repeatedly:
The policy-versus-practice gap is the most common finding. A firm has a written policy stating that all employees must use MFA, but three legacy systems don’t support it and no one has addressed the exception. Examiners find inconsistencies between written policy and operational reality almost every time they look.
Inadequate third-party vendor reviews are endemic. Firms conduct thorough diligence on fund administrators and prime brokers, then fail to review the security of their portfolio management software, expense management platform, or investor portal. Every SaaS application that touches investor data or fund information is in scope.
Untested incident response procedures appear frequently. A firm has a written IRP but has never conducted a tabletop exercise. When examiners ask “what would you do if your email was compromised tomorrow?” the answer reveals that no one has thought through the practical steps. Evidence of testing — even a brief memo documenting a tabletop walkthrough — closes this finding.
Access control gaps in offboarding are surprisingly common even at sophisticated firms. A portfolio analyst leaves; their Bloomberg, prime brokerage platform, and email are deprovisioned, but their access to the shared drive and document management system remains active for months. A formal offboarding checklist tied to HR is the fix.
Missing encryption for sensitive data shows up when firms have grown quickly. A cloud migration leaves some data in unencrypted S3 buckets, or laptops issued before a full-disk encryption policy was adopted remain unencrypted.
Building a Compliant Program
The path to a defensible cybersecurity program isn’t complicated, but it requires discipline and documentation.
Start with a gap assessment. Compare your current state against the NIST framework and Regulation S-P requirements. Be honest about what you have documented versus what actually exists. This is the starting point for everything else.
Prioritize based on examination risk. Not all gaps are equal. An undocumented incident response plan is a more significant finding than suboptimal patch management cadence. Focus first on the issues most likely to generate findings and most likely to create real risk.
Document everything — examiners want evidence, not claims. This is the most important operational lesson from years of working through SEC examinations. Controls that aren’t documented don’t exist in examiner eyes. Every risk assessment, every training session, every tabletop exercise should generate a written record. The control and the documentation of the control are equally important.
Test your procedures regularly. Annual phishing tests, annual IRP tabletops, quarterly access reviews. Testing creates the evidence trail that demonstrates your program is operational, not just written. Our team has worked through this process at a $9B fund operating under both SEC and FCA jurisdiction. The most important lesson: documentation is as important as the control itself. A firm with a well-documented, moderately sophisticated program will fare better in examination than one with advanced technical controls that are poorly documented.
Build in continuous improvement. Cybersecurity is not a project with a completion date. Threats evolve, systems change, and regulations update. Your program should have a formal annual review cycle at minimum.
The Cost of Non-Compliance
SEC enforcement actions related to cybersecurity have accelerated since 2020. Recent enforcement actions have resulted in civil penalties ranging from $200,000 to over $35 million, depending on the severity of the violation and the size of the firm. For a small to mid-size hedge fund, even a mid-range enforcement action can be existential.
The enforcement risk is real, but it’s not the primary concern for most investment managers. The larger risk is reputational. Institutional allocators — pension funds, endowments, fund of funds — conduct operational due diligence that increasingly includes detailed cybersecurity questionnaires. A poor cybersecurity posture or a documented enforcement history can disqualify a manager from institutional capital, regardless of investment performance.
For funds that experienced a breach or examination finding, the downstream impact on AUM is well-documented. Allocators who have approved a manager may not reallocate after a security incident, even if the incident was contained. The reputational damage is often harder to recover from than the direct costs.
Working with an IT Consultant
If you’re building or improving a cybersecurity program, the most important thing to look for in a consultant is operational experience — not just framework knowledge. Building a policy document that maps to NIST is straightforward. Making it work in practice at a real investment manager, integrating with prime brokerage systems, navigating vendor risk across 20+ relationships, and keeping it defensible through SEC examination is a different skill set entirely.
Our team has managed these programs from both sides. We’ve sat in the seat of the Director of IT at an institutional fund, managed the vendor relationships that most consultants only advise on, and built compliance frameworks that have eliminated audit findings across multiple examination cycles.
If you’re preparing for an examination, conducting your first formal risk assessment, or rebuilding a program after a finding, we’d be glad to help. New clients receive a $500 credit toward any Chadsel engagement.
Learn more about our Financial Services cybersecurity practice →