4 Questions Your Board Should Be Asking About Cybersecurity (And What Good Answers Look Like)

Why this conversation matters now

Most RIA board meetings treat cybersecurity the way they treated marketing in 2010 — a line item someone mentions in passing before moving on to AUM growth. That worked when the SEC treated cyber as a suggestion. It does not work now.

The amended Reg S-P deadline is 54 days away. The SEC's exam priorities explicitly name board-level oversight. And the enforcement pattern is clear: firms that cannot demonstrate a documented, maintained cybersecurity program are getting deficiency letters — or worse.

This post is for CCOs who need to brief their board, and for principals who want to know what questions to ask. Print it, bring it to your next meeting, and use it as a checklist.

Question 1: "What is our current cybersecurity posture — and can you prove it?"

Why the board should ask this

This is not "do we have a firewall." Every firm has a firewall. This question asks whether someone has actually assessed your firm's security controls against the threats you face, documented the findings, and produced something a regulator could review.

The SEC's 2026 exam priorities emphasize that principals and boards are expected to exercise oversight of cybersecurity programs — not delegate blindly and hope. An examiner may ask the managing partner directly: "Walk me through your firm's cybersecurity posture." If the managing partner has never seen an assessment, that is itself a finding.

What a good answer sounds like

"We completed a comprehensive cybersecurity assessment on February 15th. Our overall score is 74 out of 100. We have strong controls in access management and endpoint protection. We have three high-priority findings: our DMARC policy is not at enforcement, two vendor agreements lack required security addenda, and our incident response plan has not been tested in 14 months. We have a remediation plan with deadlines for each — DMARC enforcement by March 30th, vendor agreements updated by April 15th, IR tabletop exercise scheduled for April 22nd."

Notice the specifics. A score. Named findings. Deadlines. This is a CCO who can hand an examiner a document.

What a bad answer reveals

"We're in good shape. Our IT company handles all of that."

This means no one at the firm has actually reviewed the cybersecurity program. The IT company may be doing excellent work — but if the CCO cannot produce a documented assessment with specific findings in 60 seconds, the program is not documented. And undocumented programs do not survive examinations.

What to do next

Run a cybersecurity assessment that produces a written report with a score, specific findings, and remediation recommendations. Share the results with the board. Schedule the next assessment. This is not a one-time event — it is an ongoing obligation.

Question 2: "If we were examined by the SEC tomorrow, what would they find?"

Why the board should ask this

This forces an honest assessment. It reframes cybersecurity from abstract risk management to a concrete scenario with concrete consequences. Every CCO should be able to walk through a mock exam and identify where the gaps are before the SEC does it for them.

If you want to understand what that exam actually looks like, read our breakdown of what happens during an SEC cybersecurity exam. The short version: they ask for documents, and they check whether what you documented matches what you actually do.

What a good answer sounds like

"They would find a written information security policy updated in January. Our DMARC record is at p=quarantine — we are moving to reject by end of month. Our incident response plan was last tested in a tabletop exercise in November. We have signed vendor risk assessments for our custodian, our CRM, and our portfolio management system. Staff completed phishing awareness training in December with a 94% pass rate. The one area where we are exposed is our business continuity plan, which has not been updated since we moved offices. That is scheduled for revision by April 30th."

This answer references specific controls: DMARC status, IR plan testing dates, vendor agreements, training records, and a known gap with a remediation plan. An examiner hearing this knows the firm takes the program seriously.

What a bad answer reveals

"We'd be fine. We have all the policies in place."

Without specifics, this is hope, not evidence. "We have policies" without being able to name which policies, when they were last updated, or whether anyone follows them is exactly the kind of answer that prompts an examiner to dig deeper. Vague confidence is a red flag, not a green one.

What to do next

Conduct a mock exam. Walk through the SEC's published document request list and see what your firm can actually produce. Every gap you find before the SEC does is a gap you can fix on your own terms. The RIA compliance platform from BlackSheep maps directly to SEC examination requirements so you can see your readiness at a glance.

Question 3: "How much are we spending on cybersecurity compliance, and is it working?"

Why the board should ask this

Boards understand money. This question forces the CCO to articulate what the firm is getting for its cybersecurity spend — and it surfaces a problem most firms have never examined: whether their current approach actually produces the documentation, monitoring, and evidence a regulator expects.

What a good answer sounds like

"We spend $2,988 per year on our compliance platform. That gives us continuous monitoring of our email security, website security, and vendor risk posture. It generates our written policies, tracks our remediation progress, and produces exam-ready reports on demand. Our last assessment identified 11 findings — we have remediated 8, and the remaining 3 are on track. We can show the board exactly what we are getting for that spend."

What a bad answer reveals

Most RIA firms fall into one of three categories:

• Spending $0.Hoping for the best. No documentation, no monitoring, no evidence. This is the "we'll deal with it when the SEC shows up" approach, and it works until the SEC shows up.
• Spending $15,000 to $30,000 per year on a consultant. Getting annual documents that sit in a folder. The policies were written once, reviewed annually in a one-hour meeting, and no one looks at them in between. The consultant is not monitoring anything between visits.
• Spending $249 per month on a platform. Getting continuous monitoring, real-time findings, automated policy generation, and audit-ready evidence. The board can see the dashboard. The CCO can pull a report in 30 seconds.

The board should know which category their firm is in. If the answer is "I'm not sure what we spend on cybersecurity," that itself tells you everything.

What to do next

Add up what the firm spends on cybersecurity compliance — IT vendor fees, consultant retainers, software subscriptions, staff time. Then ask: what evidence does that spend produce? If the answer is "a folder of PDFs from 2024," the spend is not working. A Reg S-P compliant program requires continuous, documented evidence — not annual snapshots.

Question 4: "What's our liability if a client is harmed by a cybersecurity failure?"

Why the board should ask this

This is where cybersecurity stops being abstract and becomes personal. Fiduciary duty extends to data protection. When a client loses money because a spoofed email redirected a wire transfer, or a client portal breach exposes personal financial data, the firm is not the only entity on the hook. Principals face personal liability.

What a good answer sounds like

"Our fiduciary duty includes protecting client data. If a client suffers financial harm from a cybersecurity failure we could have prevented, we face regulatory enforcement from the SEC, potential civil liability from the affected clients, E&O claims, and reputational damage that affects AUM retention. Our current cyber liability insurance covers up to $2 million per incident, but the policy requires us to maintain documented security controls — if we can't demonstrate a reasonable cybersecurity program, the carrier may deny the claim. Our biggest exposure right now is email spoofing — we do not have DMARC at enforcement, which means an attacker could send emails that appear to come from our domain. We are addressing this by the end of the month."

This answer connects cybersecurity to business outcomes the board cares about: liability, insurance, reputation, and AUM.

What a bad answer reveals

"That's really more of an IT question."

No, it is not. It is a fiduciary question, a liability question, and a business continuity question. Principals who treat cybersecurity as an IT problem are the ones most exposed when something goes wrong. Wire fraud from spoofed emails is not hypothetical — it happens to RIAs regularly. Client portal breaches are not hypothetical — they happen when vendors are not properly vetted. Data theft is not hypothetical — it happens when access controls are loose and no one is monitoring.

The board needs to understand that this is personal liability for principals and reputational risk for the firm. Not in the abstract. In dollar terms.

What to do next

Review your cyber liability insurance policy with the board. Confirm what it requires you to maintain. Then verify that your firm actually meets those requirements — because if you file a claim and can't demonstrate a documented cybersecurity program, the carrier has grounds to deny it. Run a free security scan to identify your biggest exposure areas and start closing them before they become incidents.

The scorecard

If your CCO can answer all four of these questions with documented evidence — specific scores, named controls, remediation timelines, and liability figures — your firm is ahead of 97% of RIAs. That is not an exaggeration. Most firms cannot produce a written cybersecurity assessment on demand. Most firms cannot walk through a mock SEC exam without finding gaps. Most firms do not know what they spend on cybersecurity or what that spend produces.

If your CCO cannot answer these questions, the Reg S-P deadline is 54 days away, and BlackSheep gets you there in a week.