The 10-Point SEC Cybersecurity Exam Checklist Every RIA Needs in 2026

Why this checklist exists

The SEC's Division of Examinations has made cybersecurity a priority in every published exam priority list since 2020. With Regulation S-P's updated requirements taking effect on June 3, 2026, the bar is higher than it has ever been. Examiners request documents before they arrive, interview staff on-site, and compare what you wrote down against what you actually do.

The ten items below are what they check. Not in theory — in practice, based on deficiency letters, risk alerts, and enforcement actions from the past three years.

1. Written Information Security Program (WISP)

What the examiner looks for

A written, board-approved set of policies covering administrative, technical, and physical safeguards for client data. The examiner will check whether your WISP is specific to your firm or a generic template downloaded from the internet. They will look for named roles, defined responsibilities, and references to the actual systems your firm uses.

What good looks like

A WISP that names your firm's custodian, CRM, portfolio management system, and cloud storage providers by name. It assigns the CCO or a named individual as the information security officer. It covers data classification, acceptable use, remote work policies, and mobile device management. It was reviewed and updated within the past 12 months, with a documented revision history.

Common failures

Using a template from a compliance vendor without customizing it. Examiners can tell — the language is generic, it references systems you do not use, and staff cannot describe the policies when asked. Another common failure: having a WISP from 2021 that has never been updated despite moving to a new custodian and adopting a client portal.

How BlackSheep helps

BlackSheep generates your WISP from your actual environment — your systems, your vendors, your team structure. It updates automatically when your configuration changes, so the document always reflects reality.

2. Risk Assessment (documented and current)

What the examiner looks for

A written risk assessment completed within the past 12 months that identifies threats, vulnerabilities, and the controls in place to mitigate them. Examiners want to see that risks are ranked by likelihood and impact, and that high-priority risks have remediation plans with deadlines.

What good looks like

A document that inventories every system touching client data, identifies specific threats (phishing, ransomware, insider access, vendor breach), evaluates current controls, and assigns risk ratings. High risks have a named owner and a remediation deadline. The assessment is dated, signed by the CCO, and stored where it can be produced on request.

Common failures

The "mental risk assessment" — the CCO knows the risks but never wrote them down. Also common: a risk assessment that identifies gaps but shows no follow-up. If you documented that MFA was missing in 2024 and still have not deployed it in 2026, the assessment becomes evidence against you.

How BlackSheep helps

BlackSheep walks your team through a guided risk assessment mapped to SEC expectations. It scores risks automatically, tracks remediation progress, and maintains a timestamped audit trail showing when each risk was identified and addressed.

3. Incident Response Plan (tested)

What the examiner looks for

A written incident response plan that defines roles, escalation procedures, and notification timelines. Under the updated Regulation S-P, firms must notify affected clients within 30 days of discovering a breach, and vendor agreements should require 72-hour breach notification. Examiners also ask for evidence that you have tested the plan — a tabletop exercise, a simulated incident, something that shows the plan is not just paper.

What good looks like

An IR plan that names who makes decisions during an incident (not just "the CCO" but a specific person with a backup), includes contact information for legal counsel, your cyber insurance carrier, and your IT provider, defines what constitutes a reportable incident, and documents the 30-day client notification and 72-hour vendor notification timelines. A record of at least one tabletop exercise within the past year, including the scenario, participants, lessons learned, and any changes made to the plan as a result.

Common failures

Having a plan that has never been tested. Examiners ask staff questions like "What would you do if you received a suspicious email?" or "Who do you call first during a breach?" If the answers do not match the plan, or if staff have never seen the plan, that is a deficiency.

How BlackSheep helps

BlackSheep includes an incident response plan template tailored to your firm, with built-in tabletop exercise scenarios. It tracks testing dates and logs participant responses, so you have documentation ready when examiners ask.

4. Email Authentication (DMARC/SPF/DKIM)

What the examiner looks for

Whether your domain has properly configured DMARC, SPF, and DKIM records. This is not theoretical — examiners run DNS lookups on your domain. They want to see that you have taken steps to prevent attackers from sending phishing emails that appear to come from your firm. 83% of RIAs fail this check, based on industry scans.

What good looks like

A DMARC record set to p=quarantine or p=reject (not p=none), a valid SPF record listing only the mail servers you actually use, and DKIM signing enabled for all outbound email. If you use a third-party email marketing tool, it is included in your SPF record and has its own DKIM key.

Common failures

No DMARC record at all. DMARC set to p=none, which monitors but does not block spoofed emails. SPF records that include +allor have too many DNS lookups. DKIM not configured because "IT said the email works fine." It does work fine — for attackers impersonating you.

How BlackSheep helps

BlackSheep's free security scan checks your DMARC, SPF, and DKIM configuration in seconds and tells you exactly what to fix. No signup required.

5. Access Controls and MFA

What the examiner looks for

Documentation showing who has access to which systems, at what privilege level, and whether multi-factor authentication is enabled on all systems containing client data. Examiners ask for user access lists, check whether terminated employees still have active accounts, and verify that administrative access is limited to those who need it.

What good looks like

A current user access matrix listing every system with client data, every user with access, and their role. MFA enabled on email, CRM, portfolio management, cloud storage, and custodial platforms. Quarterly access reviews documented, including the reviewer's name and date. A process for revoking access within 24 hours when someone leaves the firm.

Common failures

Former employees still showing up in active user lists. MFA enabled on email but not on the CRM or portfolio management system. No documented access reviews — the firm "just knows" who has access to what. Shared login credentials for a system because "everyone needs to use it."

How BlackSheep helps

BlackSheep tracks your access control inventory and sends quarterly review reminders. It flags when MFA is missing on connected systems and generates the access review documentation examiners expect.

6. Encryption (at rest and in transit)

What the examiner looks for

Evidence that client data is encrypted both when stored (at rest) and when transmitted (in transit). This includes laptops, email, cloud storage, backups, and any client-facing portals or websites. Examiners check whether HTTPS is enforced on your website, whether email encryption is available for sensitive communications, and whether laptops have full-disk encryption enabled.

What good looks like

Full-disk encryption (BitLocker or FileVault) enabled on every company laptop and verified quarterly. TLS 1.2 or higher enforced on all web services. Email encryption available and used for messages containing client PII. Cloud storage encryption enabled (most major providers do this by default, but you need to verify and document it). Client-facing websites enforcing HTTPS with a valid certificate.

Common failures

Laptops without full-disk encryption — especially personal devices used for work. Client-facing websites still accessible over HTTP without a redirect. Sending account statements or tax documents via unencrypted email. Assuming "the cloud handles encryption" without verifying the configuration.

How BlackSheep helps

BlackSheep's security scan checks your website for HTTPS enforcement, TLS version, and certificate validity. The platform also includes an encryption checklist for documenting at-rest encryption across your devices and storage systems.

7. Vendor Risk Management

What the examiner looks for

Written agreements with every third-party service provider that accesses, stores, or processes client data. These agreements should include data protection requirements, breach notification clauses (72-hour notification under updated Reg S-P), and the right to audit. Examiners ask for your vendor inventory and sample agreements.

What good looks like

A complete vendor inventory listing every service provider with access to client data, their role, the data they access, and the date of their last review. Each vendor has a written agreement that includes a 72-hour breach notification clause, minimum security requirements, and termination provisions. Annual vendor reviews are documented, noting any changes in the vendor's security posture or certifications.

Common failures

No vendor inventory at all. Agreements that do not include breach notification clauses. Using a SaaS tool that has access to client data without a formal agreement because "it's just a small tool." Never reviewing vendor security after the initial onboarding. Forgetting that your IT consultant, cloud backup provider, and email marketing platform all count as vendors.

How BlackSheep helps

BlackSheep maintains your vendor inventory with built-in review scheduling. It flags agreements missing required clauses and tracks vendor review completion dates, so nothing falls through the cracks before an exam.

8. Employee Training (documented)

What the examiner looks for

Records showing that all employees received cybersecurity awareness training within the past 12 months. Examiners ask for training dates, topics covered, and attendance records. They may also ask employees directly what they learned — which is why the training needs to be real, not a compliance checkbox.

What good looks like

Annual cybersecurity training covering phishing identification, password hygiene, social engineering, data handling procedures, and incident reporting. Attendance records with names, dates, and topics. Supplemental phishing simulations throughout the year with documented results. New employee training completed within 30 days of hire.

Common failures

Training that happened but was not documented. "We talked about it at a staff meeting" does not count without a record of the date, attendees, and topics. Training content that is too generic to be useful — a 15-minute video about password hygiene does not prepare staff for the social engineering tactics actually targeting RIAs.

How BlackSheep helps

BlackSheep includes cybersecurity training modules built for financial services firms. It tracks completion dates, generates attendance records, and runs phishing simulations with documented results — all stored in your compliance dashboard for easy retrieval during an exam.

9. Business Continuity / Disaster Recovery

What the examiner looks for

A written business continuity plan (BCP) and disaster recovery plan (DR) that address how the firm will continue operating after a disruption. Examiners check for defined recovery time objectives (RTOs), tested backup restoration, and alternate communication plans. They want to see that you have actually tested your backups — not just that they exist.

What good looks like

A BCP/DR plan that identifies critical systems and their recovery priorities. Defined RTOs (e.g., "email restored within 4 hours, portfolio management within 24 hours"). Backup restoration tested at least annually, with documented results including how long the restoration actually took. An alternate communication plan for reaching clients and staff if primary systems are down.

Common failures

Backups that have never been tested. The firm assumes their cloud provider handles disaster recovery, but has never verified this or tested a restore. No defined RTOs — the firm has no idea how long they can afford to be offline. A BCP that mentions "call IT" as the recovery plan without any specifics.

How BlackSheep helps

BlackSheep's BCP/DR module walks you through creating a plan based on your actual systems and vendors. It schedules annual backup restoration tests, logs the results, and tracks your RTOs against actual recovery performance.

10. Board/Principal Oversight Evidence

What the examiner looks for

Documentation proving that firm leadership — principals, managing members, or the board — actively oversees the cybersecurity program. This is not just having a CCO who handles it. Examiners want evidence that leadership is informed, engaged, and making decisions about cybersecurity risk at the firm level.

What good looks like

Meeting minutes from quarterly or annual reviews where the cybersecurity program was discussed. Sign-off records showing principals approved the WISP, risk assessment, and incident response plan. A brief annual cybersecurity report to leadership summarizing the program's status, key risks, incidents (if any), and planned improvements. Board or principal signatures on policy documents with dates.

Common failures

The CCO runs the cybersecurity program in isolation, and firm principals have no idea what it contains. No meeting minutes referencing cybersecurity. No sign-offs on policy documents. Leadership's position is "we hired someone to handle that" — which does not satisfy the SEC's expectation that oversight comes from the top.

How BlackSheep helps

BlackSheep generates a quarterly executive summary of your cybersecurity program status, formatted for leadership review. It includes sign-off tracking so you can document that principals reviewed and approved policies, creating the oversight evidence examiners expect.

Score yourself

Go through each of the ten items above. For each one, ask: do we have written documentation that we could hand to an SEC examiner today?

• 8-10 items documented: You are exam-ready. Keep your documentation current and maintain your review cadence.
• 5-7 items documented: You have gaps to close before June 3. Prioritize items 1-3 (WISP, risk assessment, incident response) — these are the most frequently cited deficiencies.
• Below 5: Start today. The Reg S-P compliance deadline is eight weeks away, and building these programs takes time.