BlackSheep Security Research

The State of
RIA Cybersecurity

2026 Report

We scanned the public infrastructure of 8,802 SEC-registered investment advisory firms. 99% have at least one high-severity security gap. 83% have no email authentication on their confirmed email domain. The SEC starts enforcing Reg S-P in June 2026. Most firms aren't ready.

Scan your firm free Read the report

By the numbers

What we found

8,802firms scanned

99%have high-severity gaps

57average score out of 100

3.0%earned an A grade

Key findings

The industry is failing on the basics

These aren't exotic vulnerabilities. They're the fundamentals that every compliance framework requires and every examiner checks.

83%no DMARC

The email phishing crisis

83% of RIAs have no DMARC recordon the domain where their email is confirmed to run. Anyone on the internet can send emails that appear to come from the firm's domain. For firms that custody client assets or send wire instructions via email, this is the attack vector that leads to client losses.

Combined with the 54.8% that have no SPF record, the majority of the industry has zero email authentication. An attacker can send an email to a client that says "From: advisor@yourfirm.com" with instructions to wire funds — and nothing will flag it as fraudulent.

Only 5% of RIAs have DMARC set to "reject"

Client portals are exposed

We identified client login pages on 3,763 RIA websites (42.8%). Nearly every RIA offers a client portal — these are the ones where the login page was detectable on the firm's public website. Of those we identified:

63.1% have no HSTS — browsers can be tricked into loading login over HTTP
81.8% have no Content-Security-Policy — vulnerable to cross-site scripting
3.6% don't redirect HTTP to HTTPS — credentials intercepted in transit

81%no CSP header

The data

Security gaps across 8,802 firms

Finding	Affected	%
No DMARC record	5,143	83%
No Content-Security-Policy header	6,478	73.6%
No SPF record	3,396	54.8%
No X-Frame-Options (clickjacking risk)	5,008	56.9%
No HSTS enforcement	4,260	48.4%
No privacy policy visible	4,078	46.3%
Robots.txt exposes admin paths	2,374	27%
No HTTP-to-HTTPS redirect	1,243	14.1%
Open CORS policy (data theft risk)	670	7.6%
Server version exposed	601	6.8%
DMARC set to “none” (monitoring only)	522	5.9%
SSL certificate expired	217	2.5%
Self-signed SSL certificate	45	0.5%

Overall grades

51% of firms score C or below

The average score is 57 — a low B, but barely.

3.0%

263 firms

80-100 pts

45.8%

4,031 firms

60-79 pts

43.9%

3,863 firms

40-59 pts

2.8%

249 firms

20-39 pts

4.5%

396 firms

0-19 pts

By AUM tier

Bigger doesn't mean safer

A common assumption is that larger firms have better security. Our data tells a different story. The $10B+ tier averages just 61.3 — a low B. Their DMARC adoption is actually worse than smaller firms.

AUM Tier	Avg Score	No DMARC	Critical
$10B+	61.8	84.2%	85.2%
$1B-$10B	58.1	83.3%	85.4%
$500M-$1B	57.1	85.0%	87.0%
$100M-$500M	55.9	87.6%	89.4%
Under $100M	55.6	82.4%	85.2%

AUM does notpredict security6.2point spreadacross all tiers

Email infrastructure

75.8% use Microsoft 365 — but still don't configure DMARC

MX records only show the first hop — often an email security gateway or website builder. We used autodiscover CNAME records, EHLO banner grabbing, Microsoft TXT verification, and SPF includes to identify the actual platform behind each firm.

75.8%

Microsoft 365

6,675 firms confirmed

9.3%

Google Workspace

820 firms confirmed

1.8%

Security Gateways

Proofpoint, Mimecast, etc.

1.4%

Shared Hosting

GoDaddy and similar

0.5%

Self-Hosted

Postfix, Exim, Sendmail

The paradox

Microsoft 365 supports DMARC, SPF, and DKIM natively — configuration takes minutes. Yet 83% of firms on confirmed email domains still have no DMARC. The platform makes it easy. Firms just aren't doing it.

How we determined this

MX records only show the first hop. We used four additional signals: autodiscover CNAME records, ms= TXT verification records, SPF includes, and SMTP EHLO banner grabbing on port 25. Proofpoint MX firms are 93.7% Microsoft behind the gateway. Mimecast: 95.7% Microsoft.

The remaining 11.2%

Most "undetectable" firms aren't using an exotic platform — they're subsidiaries running email on a parent company domain, firms whose website URL pointed to social media or podcast platforms rather than their corporate site, or firms behind CDN proxies that blocked our detection. Actual self-hosted email servers account for just 0.5% of the industry.

Regulatory context

What SEC examiners are looking for

The SEC's 2026 Examination Priorities explicitly cite cybersecurity controls for investment advisers. Here's what they evaluate:

Written information security policies

Documented, not ad hoc

Risk assessments

Annual, covering all systems that touch client data

Incident response plans

Tested and ready to execute

Vendor oversight

Third-party risk management procedures

Access controls

Who can access what, are permissions reviewed

Email security

Authentication controls to prevent client-facing fraud

What a deficiency looks like

1Deficiency letter citing Rule 206(4)-9

290-day remediation deadline

3Follow-up examination

4Referral to Enforcement

Recommendations

Five actions you can take this week

Deploy DMARC with a "reject" policy

30 minutes of DNS work to prevent anyone from sending phishing emails as your firm. Nothing else has this ROI.

Add SPF and DKIM

SPF tells mail servers which IPs can send for your domain. DKIM cryptographically signs your messages. Both are free.

Enable HSTS

One HTTP header that forces all traffic over HTTPS. Essential if you have a client portal.

Add a Content-Security-Policy header

Prevents cross-site scripting attacks against your clients.

Document your cybersecurity program

Written policies, annual risk assessment, incident response plan. This is what SEC examiners ask for first.

Your turn

Find out where your firm stands

Enter your work email and we'll scan your firm's domain for the same gaps we found across the industry. Full report in your inbox in minutes.

Scan your firm free Start free trial — $249/mo

Based on publicly accessible infrastructure only. No systems accessed or tested beyond what any internet user can observe.

Methodology

Behind the data

BlackSheep analyzed the publicly accessible infrastructure of 8,802 SEC-registered investment advisory firms across four categories: SSL/TLS security, email authentication (SPF, DMARC, DKIM), HTTP security headers, and technology configuration.

Each firm received a composite score (0-100) and letter grade (A through F). All data was collected from publicly accessible infrastructure only — no systems were accessed, penetrated, or tested beyond what any internet user can observe.

Email platform identification used multiple signals beyond MX records: autodiscover CNAME records, Microsoft domain verification TXT records, SPF includes, SIP federation SRV records, and SMTP EHLO banner grabbing. Email authentication statistics (DMARC, SPF) are reported against the 6,195 firms where we confirmed the email platform runs on the domain being measured.

Data collected April 2026. Individual firm results are not disclosed in this report.

This report was produced by BlackSheep, a cybersecurity compliance platform purpose-built for regulated industries. 21 frameworks. $249/month.

The State ofRIA Cybersecurity