Financial Services

SEC Cybersecurity Requirements for RIAs: A Practical Checklist

The SEC's cybersecurity rules have real teeth for RIAs. This checklist covers what examiners are looking for and what smaller advisers consistently miss.

8 min read
SECRIAcybersecurity

Featured image

blog-sec-cybersecurity-requirements-rias-checklist.jpg

Related Chadsel service

Financial services IT consultation

We help regulated firms turn policies, cybersecurity controls, and operational workflows into examiner-ready evidence and practical operating plans.

Request consultation

The SEC’s cybersecurity examination focus has intensified. For Registered Investment Advisers — especially smaller and mid-size firms — the gap between what examiners expect and what most firms have documented is wider than it appears from the regulatory text alone. This checklist is drawn from direct experience building and maintaining cybersecurity programs at regulated investment managers, including a dual SEC/FCA-jurisdiction fund managing more than $9 billion in assets.

What Changed and Why It Matters for RIAs

The 2024 amendments to Regulation S-P and the new cybersecurity disclosure rules created mandatory obligations that many RIAs have not yet fully operationalized:

  • Written incident response program: Required. Not a template — a documented, tested procedure specific to your firm.
  • 30-day breach notification: Affected individuals must be notified within 30 days of discovering a breach involving customer information.
  • Annual risk assessment: Not just the output — the process must be documented and repeatable.
  • Third-party service provider oversight: Vendor risk management is now an examination focus, not a checkbox.

For firms with fewer than 50 employees, the practical challenge is operationalizing these requirements without a dedicated security team. The checklist below is organized by what SEC examination staff look for in practice.

The RIA Cybersecurity Checklist

Identity and Access Controls

  • Multi-factor authentication (MFA) enforced on all email, CRM, and portfolio management systems
  • MFA enforced on remote access (VPN, RDP) — not just email
  • Privileged account inventory: every admin account documented, reviewed quarterly
  • Offboarding procedure: access revocation checklist, tested at last two departures
  • Password policy: minimum 12 characters, no shared passwords, password manager deployed

Endpoint and Device Controls

  • Endpoint Detection and Response (EDR) on every firm-managed device — not legacy antivirus
  • Mobile Device Management (MDM) for firm email on personal or firm mobile devices
  • Full-disk encryption on laptops (BitLocker or FileVault)
  • Automatic screen lock after 5–10 minutes idle
  • Personal devices that access firm data enrolled in MDM or explicitly prohibited

Data Protection and Retention

  • Data classification: know where customer PII lives (CRM, custodian portals, email, file shares)
  • Data retention policy written, distributed, and acknowledged by staff
  • Backup of critical systems tested with a restore — not just confirmed as running
  • Customer data encrypted at rest on cloud storage systems
  • Written process for responding to data subject requests

Third-Party and Vendor Oversight

  • Vendor inventory: list of every third party with access to customer data or firm systems
  • Annual vendor security review for high-risk vendors (custodians, CRM, portfolio systems)
  • Business associate agreement or data processing addendum in place with data-handling vendors
  • Custodian and prime broker security contacts documented for incident escalation
  • Cloud service providers reviewed for data residency and access logging capabilities

Incident Response

  • Written Incident Response Plan (IRP) specific to your firm — not a generic template
  • Tabletop exercise conducted in the past 12 months and documented
  • 30-day breach notification procedure: who decides, who notifies, what records are kept
  • SEC notification procedure documented (Form ADV obligations, material incidents)
  • External counsel and forensics firm identified in advance — not discovered during an incident
  • Evidence preservation procedure in place

Employee Training and Awareness

  • Annual security awareness training: completed by all staff, documented with completion records
  • Phishing simulation conducted in the past 12 months
  • New hire security onboarding covering data handling and acceptable use
  • Written Acceptable Use Policy distributed and signed

Documentation and Governance

  • Written Information Security Policy (WISP) current and board/principal-reviewed in past 12 months
  • Annual cybersecurity risk assessment with documented methodology and output
  • Technology asset inventory current: hardware, software, SaaS systems
  • Patch management schedule documented and followed — evidence of patch cycles available
  • Cyber insurance in place — coverage terms reviewed against your actual risk profile

Form ADV and Public Disclosure

  • Form ADV Part 2A accurately describes your cybersecurity practices
  • ADV updated after any material change to security posture or after a reportable incident
  • Privacy notice current and distributed on schedule

What Smaller RIAs Consistently Miss

Testing rather than just implementing. Controls that exist but have never been tested — backup restores, incident response procedures, offboarding checklists — are a liability in examination. Examiners ask for evidence of testing, not just policy.

Third-party risk documentation. Most smaller RIAs have custody, CRM, and portfolio management tools with access to customer data, but no formal vendor oversight program. A simple annual questionnaire and a vendor inventory is sufficient to show you are managing this risk.

Employee departure procedures. Access revocation after employee departures is consistently underdocumented. Who revokes access, to which systems, and in what timeframe? A written checklist with evidence of the last two offboardings is what examiners want.

Cyber insurance alignment. Many RIAs carry cyber insurance that does not actually cover the scenarios they are most exposed to. Coverage for regulatory response costs, notification costs, and forensics should be reviewed with your broker and documented.

Incident response plan specificity. A generic IRP downloaded from the internet does not demonstrate that you have thought through your firm’s specific environment. Examiners look for the escalation chain, the notification contacts, and evidence that staff know the procedure exists.

How Chadsel Approaches RIA Compliance Readiness

We have built and maintained cybersecurity programs through multiple SEC and FCA examination cycles. Our work with registered investment managers has resulted in 100% audit finding elimination — not by gaming the process, but by building programs that are genuinely operational rather than paper-only.

For RIAs, we typically start with a gap assessment against the checklist above, prioritize the highest-risk gaps, and build a documentation and implementation plan that reflects your actual headcount and budget. The goal is a program that passes examination because it is real — not because the documentation looks good.

New advisory clients receive a $500 credit toward their first engagement.

Frequently Asked Questions

Are SEC cybersecurity requirements different for smaller RIAs?

The SEC’s cybersecurity rules apply to all registered investment advisers regardless of AUM. There is no small-firm exemption. The proportionality principle means smaller firms can scale their programs to their complexity, but the core obligations — written IRP, annual risk assessment, breach notification, vendor oversight — apply across the board.

What does the SEC look for in an incident response tabletop exercise?

Examiners want evidence that the exercise happened, who participated, what scenarios were tested, and what gaps or action items were identified. A simple two-hour exercise with four to six participants covering a phishing-to-breach scenario satisfies most examination requirements if it is documented properly.

How often should we update our Form ADV cybersecurity disclosures?

Form ADV Part 2A should be updated any time your cybersecurity practices materially change — new tools, significant policy changes, or after a reportable incident. Annual review is the minimum. Many firms update their ADV annually as part of their broader compliance review.

Does a third-party penetration test satisfy SEC requirements?

A penetration test is a useful control, but the SEC does not require it specifically. What the SEC does require is evidence of a risk assessment process. A pen test can be part of that, but it does not substitute for a written risk assessment, incident response procedures, and access control documentation.

What is the difference between Regulation S-P and the 2024 cybersecurity rules?

Regulation S-P is the foundational privacy rule for broker-dealers and investment advisers, covering safeguarding of customer records and information. The 2024 amendments strengthened breach notification requirements and formalized incident response obligations. The new cybersecurity disclosure rules (Form 8-K for public companies) apply primarily to publicly traded companies, not to most RIAs — but the broader shift toward mandatory disclosure has influenced SEC examination priorities across the industry.

Back to Insights