How often does an RIA need a cybersecurity risk assessment?

The SEC expects RIAs to conduct risk assessments at least annually and whenever there is a material change to the firm's technology environment, business operations, or threat landscape. The amended Reg S-P rule requires written policies and procedures that are 'reasonably designed' to protect client information — which the SEC has made clear includes regular, documented risk assessments. A two-year-old assessment will not satisfy an examiner.

Can software replace a consultant for risk assessments?

For the external infrastructure assessment — scanning your domains, email authentication, web applications, and exposed services — software is more thorough and more current than a consultant who visits once a year. Where consultants still add value is in evaluating internal controls, staff training effectiveness, and business process risks that cannot be observed from outside the network. The best approach for most RIAs is automated external scanning combined with an internal policy review, which costs a fraction of a full consulting engagement.

What does a compliant risk assessment look like?

A compliant risk assessment documents your methodology, identifies specific threats and vulnerabilities relevant to your firm, assigns severity ratings with rationale, maps findings to applicable regulatory requirements (Reg S-P, Reg S-ID, state rules), includes a remediation plan with timelines and responsible parties, and provides evidence that prior findings have been addressed. The SEC expects a written document with your firm's actual data — not a generic template with boxes checked.

February 15, 2026·10 min read

Cybersecurity Risk Assessment Software for RIAs: Automate What the SEC Requires

The SEC expects every registered investment adviser to maintain a documented cybersecurity risk assessment. Most firms either pay a consultant $5-15K for a point-in-time report that goes stale in months, or fill out a self-assessment questionnaire that nobody verifies. Neither approach actually satisfies what examiners want to see.

What the SEC actually requires

Under the amended Reg S-P rule, every RIA must adopt written policies and procedures that are "reasonably designed" to protect customer records and information. The SEC has made clear — through examination priorities, risk alerts, and enforcement actions — that "reasonably designed" starts with a risk assessment.

That assessment must be annual at minimum. It must be documented in writing. It must be specific to your firm — not a generic template. And it must identify actual threats and vulnerabilities to your environment, evaluate your current controls against those threats, and prioritize what needs to be fixed.

This is not optional, and it is not new. The SEC has been examining for risk assessment documentation since the 2014 cybersecurity sweep. What has changed is the specificity of what examiners expect and the consequences of falling short.

The problem with manual risk assessments

Most RIAs handle risk assessments one of two ways, and both have serious gaps.

The consultant model

You hire a cybersecurity consulting firm. They spend a few days reviewing your infrastructure, interview your staff, and produce a 50-page report. It costs $5,000 to $15,000. The report is thorough — for that moment in time.

Three months later, a new vulnerability is disclosed in your email provider. Six months later, your IT vendor changes your DNS configuration. Nine months later, a staff member starts forwarding client emails to a personal account. The consultant's report says nothing about any of this because the consultant is not watching. By the time your next annual engagement rolls around, the report is a historical document, not a current assessment.

The self-assessment questionnaire

Your compliance vendor gives you a form. "Do you have multi-factor authentication? Do you encrypt data in transit? Do you have an incident response plan?" You check the boxes, sign at the bottom, and file it.

The problem is that nobody verifies any of it. The questionnaire assumes you know the answer. It assumes you know what DMARC is, whether your email provider enforces it, and whether your SPF record is correctly configured. It assumes "we have a firewall" means the firewall is properly configured, current on patches, and monitoring the right traffic.

Neither approach meets the SEC's standard. A point-in-time consultant report is not "reasonably designed" if it goes stale in months. A self-assessment questionnaire is not "reasonably designed" if nobody confirms the answers are accurate.

What good risk assessment software does

The right software does not hand you a questionnaire. It looks at your actual infrastructure and tells you what it finds. Specifically:

Scans your external infrastructure automatically. Your domains, email authentication records, web applications, SSL certificates, exposed services, DNS configuration. These are the things an attacker sees from outside your network — and the things an examiner can verify independently.
Identifies real vulnerabilities with severity ratings. Not "you might be at risk" — specific findings like "your DMARC policy is set to none, which means anyone can spoof your domain in emails to clients" or "your SSL certificate expires in 12 days."
Maps findings to specific regulatory requirements. For RIAs, that means Reg S-P — not generic NIST controls, not ISO 27001, not a framework designed for enterprises with a 20-person security team. Your examiner is checking whether you meet SEC requirements, and your assessment should speak that language.
Generates the documented assessment examiners want. A written report with your firm name, your specific findings, dates, severity ratings, and regulatory mappings. Not a template you filled in — a document generated from actual scan data.
Monitors continuously. The assessment is not a snapshot that decays over 12 months. New vulnerabilities are detected as they appear. The assessment is always current because the scanning never stops.

The self-assessment trap

Here is a specific example of why questionnaires fail.

A standard compliance questionnaire asks: "Does your firm have DMARC configured? [Yes / No / Not Applicable]."

We have scanned thousands of RIA domains. Based on that data, 83% of firms would check "yes" or "not applicable" — and be wrong. The reality is that most RIA domains either have no DMARC record at all, have a DMARC policy set to "none" (which provides monitoring but no protection), or have a DMARC record with syntax errors that prevent it from functioning.

The questionnaire does not catch this because the questionnaire trusts the person filling it out. That person is usually a CCO or operations manager who should not be expected to know how to query DNS TXT records and interpret the results. They are not lying — they genuinely believe their IT provider set it up correctly. But nobody checked.

Multiply this across every line item in a self-assessment — encryption, access controls, patch management, backup procedures, incident response — and you have a document that looks complete but reflects what the firm hopes is true rather than what actually is.

What examiners actually want to see

SEC examination staff have been increasingly specific about what constitutes an adequate risk assessment. Based on examination deficiency letters and published risk alerts, examiners want:

Documented methodology.How did you identify risks? What did you look at? What tools or processes did you use? "We thought about it" is not a methodology.
Specific findings with dates.Not "we reviewed our cybersecurity posture." Specific findings: "On January 15, 2026, we identified that our email domain lacked a DMARC enforcement policy, exposing the firm to domain spoofing attacks."
Risk ratings with rationale. Why is this finding rated high, medium, or low? What criteria did you use? Ratings must be consistent and defensible.
Remediation plan with timelines. For every finding above a low risk rating, what are you doing about it? By when? Who is responsible?
Evidence of implementation. Did you actually fix the things you said you would fix? Can you prove it? Examiners increasingly ask for before-and-after evidence.
Currency.When was this assessment last updated? If the answer is "18 months ago," you have a problem. If the answer is "it updates continuously because our scanning is automated," that is a different conversation entirely.

How BlackSheep handles risk assessment

BlackSheep takes a different approach from both the consultant model and the questionnaire model. Here is how it works for RIAs:

Automated external scan.You enter your firm's domain. BlackSheep scans your DNS records, email authentication (SPF, DKIM, DMARC), SSL/TLS configuration, web application headers, exposed services, and publicly visible infrastructure. No questionnaire. No self-reporting.
Findings mapped to Reg S-P. Every finding is tied to the specific Reg S-P requirement it relates to. Your report speaks the language your examiner uses, not generic cybersecurity jargon.
Written assessment with your firm's data. The platform generates a documented risk assessment with your firm name, your specific findings, severity ratings, regulatory mappings, and remediation recommendations. It is your assessment, built from your actual infrastructure — not a template.
Continuous monitoring. The scan is not a one-time event. BlackSheep monitors your infrastructure on an ongoing basis. When something changes — a certificate is about to expire, a DMARC policy is altered, a new vulnerability is detected — the assessment updates and you get notified.
$249/mo vs. $5-15K per engagement. A consultant engagement that happens once a year costs more than continuous automated monitoring that runs every day. The math is straightforward.

What this does not replace

Automated external scanning covers the infrastructure layer — the things an attacker (or an examiner) can see from outside your network. It does not evaluate whether your staff clicks on phishing emails. It does not assess whether your access controls are properly segmented internally. It does not review your vendor management process.

Those internal controls still matter. But for most RIAs, the external infrastructure is where the biggest, most easily exploitable gaps exist. It is also where examiners can independently verify your claims. If your assessment says everything is fine but an examiner can see your DMARC is not enforced and your SSL is misconfigured, that discrepancy raises questions about the entire program.

See what an automated risk assessment finds on your domain.

Run your free scan with BlackSheep