An SEC examiner asks your firm to produce its cybersecurity risk assessment, incident response plan, and vendor security review records - by end of week. Could you do it? For most boutique registered investment advisers (RIAs), that question lands hard.

The Problem: Informal Practices Don’t Survive a Documentation Request

Most small RIA firms aren’t flying blind on security. You have MFA on email. Your custodian is reputable. Your IT provider pushed out patches last quarter. But here’s the catch: having security controls and having documented security programs are not the same thing. The SEC cares about both.

This gap becomes obvious fast when an examiner shows up. They won’t just ask if you have an incident response plan. They’ll ask to see it, ask when you last tested it, and ask who owns it. If your answer is “we’d figure it out as it happens,” you’ve got a finding coming.

This is where small RIAs get trapped. Your practices work. They’re just informal. People know their roles, but nobody wrote them down. Vendor reviews happen in someone’s head. Risk assessments, if they exist, are a checklist from three years ago that nobody touched when you switched to that new cloud storage platform.

The SEC’s examination staff has made cybersecurity a priority for years. After the 2023 cybersecurity rules and Regulation S-P amendments in 2024, that scrutiny has real teeth. The rules don’t just say you need certain practices - they say you need to prove those practices exist, are current, and actually fit your firm’s specific risks.

This guide is for the firm doing most things right but stuck because it can’t demonstrate it.

Why This Matters for RIAs: The Regulatory Stakes

The SEC’s 2023 cybersecurity rules for investment advisers require RIAs to adopt and implement written cybersecurity policies and procedures that reasonably address cybersecurity risks. That word “reasonably” carries weight.

Regulation S-P (amended May 2024) adds a hard requirement: notify clients within 30 days if a breach exposes their personal information. You can only hit that deadline if your incident response plan actually spells out what counts as a breach, who decides, and how you notify people.

The SEC’s Division of Examinations consistently finds the same gaps in smaller firms:

  • Policies that sit on a shelf, untouched for over a year
  • Incident response plans nobody has ever actually tested
  • Risk assessments that are generic checklists, not tailored to your actual systems
  • Zero documentation of due diligence on vendors who touch client data

The financial hit isn’t theoretical. SEC enforcement actions against RIAs for cybersecurity lapses have resulted in fines in the hundreds of thousands - firms much smaller than you’d expect. Add the reputational damage: a public SEC order in a business built on client trust.

How to Build an Examination-Ready Documentation Program

You don’t need a full-time compliance officer. You need a system.

The Four Documents Examiners Request Most Often

1. Written cybersecurity policies and procedures. This is your foundation. It identifies who owns cybersecurity, what systems and data matter, what controls you have (MFA, encryption, patching, access management), and how you handle exceptions. Generic templates fail here. Your policy needs to name the actual tools you use - your specific portfolio platform, your cloud provider, your email system. Make it real.

2. Annual cybersecurity risk assessment. This isn’t a once-and-done. The SEC expects you to do this at least yearly and document it. Your assessment should call out the threats you actually face (phishing, credential theft, third-party breaches hit RIAs hardest), evaluate how your controls stack up, and note any gaps with a plan to fix them. Write down who did it, when, and what changed from last year.

3. Incident response plan (IRP). A solid IRP assigns specific people to specific roles - not just “someone will handle IT.” It defines what a reportable incident looks like, walks through containment and recovery, and includes your client notification process under Regulation S-P. Document any tabletop exercises or walk-throughs - even a short team session counts. Date it. Sign it.

4. Vendor and third-party security review records. Every vendor touching client data needs a documented review. Your custodian, CRM, document management platform - all of them. You don’t need a full audit. A completed vendor questionnaire, a review of their SOC 2 report, and your notes on what you found is enough to show the examiner you actually thought about it.

What “Reasonable” Actually Means

The SEC explicitly recognizes that smaller firms have tighter budgets. “Reasonable” scales to your firm’s size, complexity, and what data you actually hold. A five-person RIA doesn’t need a security operations center. But it does need controls that match its risks and - this is critical - documented reasoning for why it made its choices.

Document your thinking. If you picked a specific email security vendor, note why. If you decided annual penetration testing didn’t make sense for your size, write that down. Examiners respect resource constraints. They don’t accept silence.

Your Documentation Maintenance Rhythm

Treat cybersecurity documentation as an ongoing program, not a one-time project.

Annually: Conduct and document your risk assessment. Review and update policies. Check that vendor reviews are current. Run at least one tabletop exercise on your IRP.

After any incident: Document what happened, when, how you responded, and what you’ll change. This after-action record is one of the strongest signals to an examiner that your program works.

When you change vendors or systems: Do a targeted security review. A new CRM or cloud storage platform shifts your risk profile. Document the security evaluation you ran before you went live.

What to Look for in an IT Partner

Your IT provider should help build your documentation program, not ignore it. When you’re evaluating whether your current provider is examination-ready, ask:

  • Can you give us documentation of the security controls you manage for us?
  • Do you keep records of patching, vulnerability scans, and access reviews we can show in an exam?
  • Will you help us with our annual risk assessment, or provide data our compliance team can use?
  • What do you do when we add or remove a vendor with system access?
  • Have you worked with RIAs or other SEC-registered firms?

A provider who answers these clearly and has records to back it up is a compliance asset. One who can’t is a liability waiting to happen.

The Bottom Line

The SEC isn’t asking boutique RIAs to build Fortune 500 security programs. It’s asking you to understand your risks, have a plan, and show your work. The firms that get dinged aren’t usually the ones with weak security. They’re the ones with good practices and no documentation to prove it. Build the documentation habit now, before an examiner asks.

Frequently Asked Questions

What does the SEC look for in a small RIA’s cybersecurity policies during an exam?

Examiners want policies specific to your firm’s actual systems and data, not pulled from a template library. They also look for evidence that someone owns the policies, that they’re current, and that your staff knows about them. A policy unchanged in two years or that doesn’t match your real technology setup will show up as a finding.

How often does an RIA need to update its cybersecurity risk assessment to satisfy SEC requirements?

At least annually. You should also update after major system changes, after a security incident, or when a new vendor gains access to client data. What matters is documenting the date, how you did it, and what changed from the previous assessment.

What is Regulation S-P and how does it affect RIA cybersecurity documentation?

Regulation S-P governs how you protect client financial data. The 2024 amendments require a written incident response program and client notification within 30 days of a data breach affecting personal information. Your incident response plan now has to include a specific, documented notification process - not just a general security response framework.

Does a small RIA need to hire an outside consultant to conduct a cybersecurity risk assessment?

No. The SEC’s standard is reasonable for your firm’s size and complexity. Many small RIAs can do a solid annual assessment internally using a framework like NIST’s Cybersecurity Framework. An outside consultant adds polish, but documenting your process and findings matters more than who does the work.

If you’re building RIA cybersecurity documentation and preparing for SEC exams, let’s talk. One82 works with CPA firms, law firms, and financial advisory companies in the Bay Area - we understand your environment.