Does Reg S-P apply to small RIAs?

Yes. Regulation S-P (17 CFR Part 248) applies to every SEC-registered investment adviser regardless of assets under management, number of clients, or firm size. There is no small-firm exemption, no de minimis threshold, and no phase-in period. If you are registered with the SEC, the amended Reg S-P requirements — including written incident response plans and customer notification obligations — apply to you in full.

What's the minimum an RIA needs for cybersecurity compliance?

At minimum, an SEC-registered RIA needs written policies and procedures addressing the safeguarding of customer records and information under Reg S-P, a written incident response plan, the ability to detect and respond to unauthorized access, customer notification procedures for breaches, and documentation of oversight of third-party service providers. The specific controls scale to your firm's size and complexity, but the obligation to have them does not.

How much does SEC cybersecurity compliance cost for a small firm?

Ongoing compliance for a small RIA typically runs between $200 and $500 per month using a compliance platform, or $5,000 to $15,000 per year using a consultant. The cost of non-compliance is significantly higher: SEC enforcement actions, remediation costs, and legal fees after an exam finding routinely exceed $100,000, and that does not include the reputational damage or lost client trust.

April 5, 2026·8 min read

Is Your RIA Too Small for Cybersecurity Compliance? (No. Here's Why.)

We hear it constantly from firms managing under $500M: "The SEC has bigger fish to fry." It is an understandable assumption. It is also wrong — and increasingly dangerous to act on.

Why small firms believe they are exempt

If you run a small RIA, you have probably had some version of this conversation with yourself or your compliance consultant: We only have a handful of employees. We do not hold custody. Our AUM is modest. The SEC is not going to spend its limited exam resources on us when there are multi-billion-dollar firms to worry about.

This reasoning feels logical. It is also built on a misunderstanding of how SEC examinations work and what Regulation S-P actually requires.

Reg S-P has no size exemption

The amended Regulation S-P (17 CFR Part 248) applies to every broker-dealer, investment company, and SEC-registered investment adviser. Period. There is no carve-out for firms below a certain AUM threshold. There is no reduced set of requirements for firms with fewer than ten employees. There is no phase-in schedule that lets smaller firms delay implementation.

The rule requires written policies and procedures for the protection of customer records and information, a written incident response program, the ability to detect and respond to unauthorized access to customer information, notification to affected individuals when a breach occurs, and oversight of service providers who handle customer data on your behalf.

If you manage client assets — whether it is $50 million or $5 billion — you carry the same fiduciary obligation to protect the personal information those clients entrusted to you. The SEC does not grade on a curve.

The SEC is specifically targeting smaller firms

The SEC's 2026 examination priorities make this explicit. The Division of Examinations flagged cybersecurity preparedness at smaller firms as an area of focus, specifically because smaller firms are more likely to have gaps in their programs and less likely to have been examined before.

This is not a hypothetical. The SEC has been expanding its exam coverage to reach firms that have never been examined. If you have been registered for several years and never received an exam letter, you are not flying under the radar — you are overdue.

Small firms are easier to examine, not harder

There is an irony in the "too small to examine" assumption: smaller firms are actually faster and cheaper for the SEC to examine. A large firm with complex custodial relationships, multiple office locations, and thousands of client accounts takes months of examiner time. A small firm with one office, a handful of employees, and straightforward operations can be examined in days.

That means the SEC gets more exams completed per dollar of enforcement budget by examining small firms. And findings at small firms are often easier to document because there are fewer layers of process to sift through. If the written incident response plan does not exist, that is a finding. There is nothing to interpret.

What happens when a small firm gets a finding

This is where the math gets painful. The enforcement pattern against small advisory firms with cybersecurity deficiencies typically follows a predictable path:

The exam letter arrives. The SEC requests your written information security policies, your incident response plan, evidence of employee training, records of any security incidents, and documentation of your vendor oversight program.
The gaps become findings.If you do not have a written incident response plan, that is a deficiency. If you have never conducted a risk assessment of your technology environment, that is a deficiency. If you cannot demonstrate that you evaluate your service providers' security practices, that is a deficiency.
Remediation is expensive and urgent. You now need to build a compliant program under time pressure, typically with outside legal counsel and a compliance consultant involved. Firms that engage counsel for SEC exam remediation routinely spend $50,000 to $150,000 depending on the severity and number of findings.
Enforcement actions carry real penalties. Beyond remediation costs, the SEC can impose censures, fines, and activity restrictions. For cybersecurity failures, penalties against advisory firms have ranged from $50,000 to over $1 million. For a small firm, that can be existential.

The cost comparison is not close

This is the part that frustrates us most, because the math is so straightforward. A small RIA that puts a compliant cybersecurity program in place proactively is looking at roughly $249 per month — the cost of a platform that handles the policies, risk assessments, incident response planning, and documentation the SEC expects to see.

A small RIA that waits until an exam finding is looking at $100,000 or more in legal fees, consultant fees, and remediation costs — plus the time and stress of building everything under a regulatory deadline instead of on your own schedule.

That is roughly 33 years of proactive compliance for the cost of one reactive scramble. And the proactive version actually protects your clients. The reactive version just limits your penalties.

The good news: small firms are easier to get compliant

Here is the upside of being small. The same simplicity that makes you easy to examine also makes you easier to protect. A firm with five employees, one office, and a single custodian has a much smaller attack surface than a multi-office enterprise with hundreds of endpoints and complex integrations.

What that means in practice:

Fewer policies to write. Your information security program does not need to be 200 pages. It needs to be accurate, complete, and proportionate to your environment. For a small firm, that is often 15 to 25 pages of core policies and procedures.
Simpler risk assessments. You have fewer systems, fewer data flows, and fewer third-party relationships to evaluate. A thorough risk assessment for a five-person firm can be completed in a day, not a quarter.
Training is manageable. Getting five people through annual security awareness training takes an afternoon. Getting 500 people through it takes a project manager and a six-week rollout plan.
Incident response is more straightforward. Your incident response plan does not need to account for 14 time zones and three escalation tiers. It needs to document who does what when something goes wrong, and make sure those people know the plan exists.

What to do right now

If you are a small RIA that has been putting off cybersecurity compliance, here is a practical starting point:

Run a free security scan.See where your firm's public-facing security posture stands today. This takes two minutes and gives you a concrete baseline.
Read the amended Reg S-P requirements. Understand what is actually required — not what you heard secondhand at a conference. Our Reg S-P breakdown walks through each requirement in plain language.
Inventory your technology environment. Write down every system that touches client data: your CRM, your portfolio management system, your email, your custodian portal, your cloud storage. You cannot protect what you have not identified.
Put a program in place before your exam letter arrives. The difference between "we have been working on this" and "we have not started" is the difference between a deficiency letter and an enforcement action.

How BlackSheep fits in

BlackSheep was built for firms exactly like yours. The RIA compliance platform gives you the written policies, risk assessment framework, incident response plan, vendor oversight documentation, and employee training tracking that the SEC expects to see — without the $15,000 consultant fee or the six-month implementation timeline.

You are not too small to be compliant. You are the right size to get this done quickly and correctly.

See where your firm stands in two minutes.

Run a free security scan