What Actually Happens During a SEC Cybersecurity Exam (And How to Prepare)

How firms get selected

The SEC's Division of Examinations does not examine every firm every year. They select firms using a combination of factors, and you will not know which factor put you on the list:

• Risk-based selection. Firms with higher AUM, more retail clients, complex business models, or prior compliance issues are examined more frequently. If you custody client assets or have discretionary authority, your risk profile is higher.
• Tip-offs and complaints. A client complaint, a whistleblower tip, or a suspicious SAR filing can trigger an examination. These are not routine — they are targeted, and examiners arrive with specific concerns.
• Routine scheduling. Some exams are simply the result of your firm coming up in the rotation. Newly registered firms often get examined within their first two years.
• Thematic sweeps. The Division publishes annual examination priorities. Cybersecurity has appeared on that list every year since 2014. When the SEC announces a thematic sweep on a topic — say, email security or Regulation S-P compliance — they select a batch of firms across the industry and examine them all on that topic. You do not get advance warning of the theme.

The key thing to understand: by the time you receive the examination notification letter, the scope is already set. You cannot influence what they will focus on. Your only option is to be ready before the letter arrives.

The document request

After the notification letter, the SEC sends a detailed document request list. This is where most firms start to panic. The request typically asks for:

• Your Written Information Security Policy (WISP) — the foundational document that describes your cybersecurity program
• Your most recent cybersecurity risk assessment, including the methodology and findings
• Your incident response plan, and any records of incidents that triggered it
• Your business continuity and disaster recovery plan
• Vendor due diligence documentation — how you evaluated the security posture of third-party service providers
• Vendor agreements, specifically looking for breach notification clauses and data handling terms
• Employee cybersecurity training records — who was trained, when, and on what
• Incident logs covering the examination period
• Access control documentation — who has access to what systems and client data
• Evidence of multi-factor authentication implementation

You typically have two to four weeks to produce these documents. That sounds like enough time until you realize you need to locate, compile, and review everything. If your WISP is a template you downloaded three years ago and never updated, that two-week window is going to feel very short.

What they check technically

This is the part that surprises most firms. SEC examiners do not just read your documents — they verify your claims against observable reality. Examination staff have become increasingly technical over the past several years, and their tooling has improved.

Examiners can and do check your public-facing technical posture:

• Email authentication. DMARC, SPF, and DKIM records on your domain. If your WISP says you have email security controls but your domain has no DMARC record or it is set to p=none, that is a documented gap between policy and practice.
• SSL/TLS configuration. Whether your website and client portal use current encryption standards. Expired certificates, weak cipher suites, and mixed content are all observable.
• Security headers. HTTP security headers on your web properties — Content-Security-Policy, X-Frame-Options, Strict-Transport-Security. These are basic hygiene items that indicate whether someone is actively managing your web security.
• Client portal security. If you provide clients access to a portal, examiners evaluate the authentication requirements, session management, and whether sensitive data is encrypted in transit and at rest.

The technical checks serve a specific purpose: they test whether your written policies reflect what is actually deployed. A WISP that claims "the firm maintains email authentication controls" while the domain has no DMARC record is a finding. Not because of the missing record alone, but because the policy does not match the practice.

You can see exactly what examiners would find on your domain right now. Run a free scan and compare the results to what your policies claim.

On-site or remote examination

SEC examinations can be conducted on-site at your office, remotely, or as a hybrid of both. Remote examinations became more common after 2020 and remain a standard option. Regardless of format, expect interviews with:

• The CCO.Examiners want to understand who owns cybersecurity compliance, what oversight the CCO exercises, and how cybersecurity fits into the firm's overall compliance program. They will ask about your process for identifying and responding to threats, not just whether you have a document that says you do.
• The CTO or IT contact. This could be an internal IT person or your outsourced IT provider. Examiners ask about patch management, access control procedures, backup testing, encryption implementation, and how security incidents are detected and escalated.
• The principal or CEO.In smaller firms especially, examiners want to gauge whether leadership understands and supports the cybersecurity program. A principal who cannot describe the firm's basic security posture signals a governance problem.

The interviews are process-oriented. Examiners ask questions like "Walk me through what happens when an employee reports a suspicious email" or "How do you evaluate a new vendor before granting them access to client data?" They are testing whether your team actually follows the procedures described in your policies, or whether the policies exist on paper only.

Common findings

SEC examination deficiency letters follow patterns. These are the findings that appear again and again, across firms of all sizes:

No written information security policy

The most basic finding. The firm either has no WISP at all, or has a generic template that was never customized to reflect the firm's actual environment, systems, and procedures. A WISP that references "the company's mainframe" when you are a 10-person RIA using cloud-based tools is not a WISP — it is evidence of inattention.

No documented risk assessment

Regulation S-P and SEC guidance require firms to identify and assess risks to client information. Many firms either skip this entirely or confuse a risk assessment with a penetration test. A risk assessment identifies threats, evaluates their likelihood and impact, and documents what controls are in place. A penetration test checks whether specific controls work. You need both, but they are not the same thing.

No incident response plan

When examiners ask "What would you do if you discovered a data breach tomorrow?" and the answer is "We would figure it out," that is a finding. An incident response plan documents roles, responsibilities, communication procedures, containment steps, and regulatory notification obligations. It should be written, reviewed, and tested before you need it.

No multi-factor authentication

MFA on email, client-facing systems, and any application that accesses client data is now a baseline expectation. The SEC has cited MFA failures in enforcement actions, including cases where a single compromised email account led to fraudulent wire transfers from client accounts.

No email authentication

Missing or misconfigured DMARC, SPF, and DKIM records. This is increasingly flagged because business email compromise is one of the top attack vectors against financial firms. If your domain can be spoofed, your clients are at risk.

Vendor agreements missing breach notification clauses

Firms rely on third-party vendors — custodians, CRM providers, portfolio management systems, cloud storage — but their service agreements do not include provisions requiring the vendor to notify the firm in the event of a security incident. If your vendor gets breached and you do not find out for months, that is your problem when the SEC asks about it.

What happens after the examination

After the examination concludes, one of three things happens:

1. No action letter. The examination did not identify significant issues. This is the best outcome, but it does not mean you are exempt from future examinations.
2. Deficiency letter.The most common outcome. The SEC sends a letter listing specific findings and areas where the firm's practices fell short. You are expected to respond with a remediation plan and timeline. Most firms receive some form of deficiency letter — the question is how many findings and how severe.
3. Referral for enforcement. In cases of serious noncompliance, willful violations, or repeated failures to remediate known deficiencies, the matter can be referred to the Division of Enforcement. Enforcement actions can result in civil penalties, censure, suspension, or revocation of registration.

The deficiency letter gives you a window to fix things. Firms that respond promptly, document their remediation, and demonstrate improvement rarely escalate to enforcement. Firms that ignore deficiency letters or make superficial changes create a paper trail that makes enforcement action more likely in the next examination.

How to prepare

The firms that handle SEC examinations well share one trait: they are not scrambling. Their documents exist, are current, and are accessible. Their people can describe their processes because they actually follow them. Here is how to get there:

1. Assemble your core documents now. WISP, risk assessment, incident response plan, BCP, vendor inventory with agreements. If any of these do not exist, create them. If they exist but are outdated, update them. Store them in a single, organized location where you can produce them within a day of receiving a document request.
2. Verify your technical posture matches your policies. If your WISP says you enforce email authentication, confirm your DMARC record exists and is set to p=reject or p=quarantine. If your policy says you use MFA, confirm it is enabled on every system that accesses client data. The gap between what you write and what you deploy is the single most dangerous finding in an examination.
3. Train your team on the interview. The CCO should be able to describe the cybersecurity program. The IT contact should be able to explain patch management, access controls, and incident detection. The principal should be able to articulate their role in cybersecurity governance. These are not trick questions — they just require that the people responsible actually know what they are responsible for.
4. Review your vendor agreements. Check every third-party service provider agreement for breach notification clauses, data handling terms, and right-to-audit provisions. If those clauses are missing, negotiate amendments now — not after the document request arrives.
5. Maintain an incident log.Even if nothing has happened, document that. A log showing "No reportable incidents during this period" with dates is better than no log at all. If incidents did occur, document the detection, response, and resolution.
6. Do a dry run. Pull out the SEC's published cybersecurity examination checklist and go through it as if the document request just arrived. Can you produce everything? How long does it take? Where are the gaps? Finding gaps now is preparation. Finding them during an exam is a deficiency.

How BlackSheep fits in

BlackSheep's RIA compliance platform is built around the SEC examination process. It generates and maintains your WISP, risk assessment, and incident response plan with the language examiners expect. It continuously monitors your domain for the same technical signals examiners check — DMARC, SPF, SSL, security headers — and flags gaps between your policies and your actual posture before an examiner does.

When the document request arrives, everything is already organized, current, and exportable. No scrambling. No two-week fire drill.