SEC Cybersecurity Rule for Registered Investment Advisors

The Securities and Exchange Commission has made cybersecurity a top examination priority for registered investment advisors (RIAs). Through a combination of rule proposals, enforcement actions, and examination focus areas, the SEC has established clear expectations for how RIAs must manage cybersecurity risk. The SEC's approach to RIA cybersecurity is rooted in the Investment Advisers Act of 1940, particularly the fiduciary duty to protect client assets and information. The SEC views cybersecurity failures as potential violations of an advisor's fiduciary obligations, anti-fraud provisions, and compliance program requirements. Key SEC cybersecurity expectations for RIAs include: written cybersecurity policies and procedures, risk assessments addressing cybersecurity threats, incident response planning and notification, vendor and third-party risk management, data protection and encryption, access controls and authentication, employee training, and board or senior management oversight. The SEC Division of Examinations (formerly OCIE) has included cybersecurity in its examination priorities every year since 2014, with increasing specificity about what examiners look for. RIAs should expect cybersecurity to be examined in every routine examination, and deficiency letters related to cybersecurity have become increasingly common. Unlike the FTC Safeguards Rule, which prescribes specific technical controls, the SEC takes a principles-based approach. There is no checklist of required technologies. Instead, the SEC expects RIAs to implement cybersecurity measures that are "reasonably designed" to protect client information and assets, tailored to the firm's size, complexity, and risk profile.

SEC examiners evaluate your cybersecurity program across multiple dimensions. Here is what they look for and how to prepare. Governance and risk management — Examiners want to see that cybersecurity is treated as a business risk, not just an IT issue. Demonstrate that senior management or the board is involved in cybersecurity oversight, that you have a designated person responsible for cybersecurity (similar to a CCO for compliance), and that cybersecurity risks are formally assessed and documented. Written policies and procedures — You need comprehensive, written cybersecurity policies. The SEC expects these to cover: data classification and protection, access control and authentication, email and internet use, mobile device and remote work security, vendor management, incident response, business continuity, and data disposal. These policies must be reasonably tailored to your firm — generic templates with your firm's name inserted are a red flag. Incident response — The SEC expects a documented incident response plan that has been tested. Examiners will ask: Have you had any cybersecurity incidents? How did you respond? Did you follow your plan? Did you notify affected clients? Did you report to the SEC? If you have never practiced your plan, that is a deficiency. Technical controls — While the SEC does not prescribe specific technologies, examiners evaluate whether your controls are reasonable. They check for: encryption of client data (at rest and in transit), MFA on systems accessing client information, patch management processes, network security (firewalls, segmentation), endpoint protection, and email security. Vendor management — The SEC expects you to evaluate and monitor the cybersecurity of your service providers: custodians, technology vendors, cloud providers, and subadvisors. Examiners will ask for your vendor due diligence documentation and how you monitor ongoing vendor security. Training — All employees should receive cybersecurity awareness training at least annually. Examiners will ask for training records, topics covered, and how training is tailored to different roles (advisors vs. operations vs. IT). Cyber Defense Agent helps RIAs prepare for examinations by providing continuous external monitoring, documented security posture evidence, and framework mapping that demonstrates a structured approach to cybersecurity. Your CDA scan results and Cyber Defense Score provide tangible evidence of proactive security management.

Here is a step-by-step approach to building a defensible cybersecurity program for your RIA. Step 1: Governance (Week 1). Designate a cybersecurity lead — this can be your CCO, COO, or an outsourced provider. Document the designation and reporting structure. Brief your firm's principals on their cybersecurity oversight responsibilities. Add cybersecurity as a standing agenda item for management meetings. Step 2: Risk assessment (Weeks 2-3). Conduct a written risk assessment covering: your firm's data and systems inventory, threats specific to investment advisors (BEC targeting wire transfers, client account takeover, insider trading data theft), vulnerabilities in your environment, and the potential impact of a cybersecurity incident on your clients and firm. Run a Cyber Defense Agent scan to identify external technical risks automatically. Step 3: Policies and procedures (Weeks 3-6). Develop written policies covering the areas the SEC examines: information security, data classification, access control, email and internet use, mobile devices, incident response, vendor management, business continuity, and data disposal. Tailor each policy to your firm — do not use generic templates verbatim. Step 4: Technical controls (Weeks 4-8). Implement controls based on your risk assessment: enable MFA on all systems, encrypt client data at rest and in transit, implement email authentication (SPF/DKIM/DMARC), deploy endpoint protection, configure firewall rules, and establish patch management. Use CDA scan results to prioritize external controls. Step 5: Vendor management (Weeks 6-8). Inventory all service providers. Categorize them by risk level (custodians and technology providers are high risk). Request SOC 2 reports or security documentation. Include cybersecurity requirements in contracts. Schedule annual vendor reviews. Step 6: Training (Week 8). Conduct initial cybersecurity awareness training for all employees. Cover phishing, social engineering, password security, data handling, and incident reporting. Schedule annual refresher training and document everything. Step 7: Ongoing management. Enroll in CDA for continuous external monitoring. Review scan results monthly. Update your risk assessment annually. Test your incident response plan with tabletop exercises. Report to principals quarterly on cybersecurity posture. Total implementation time: 8-12 weeks. Ongoing commitment: 5-10 hours per month for a small RIA.

The SEC has moved beyond issuing guidance and into active enforcement of cybersecurity requirements for investment advisors. Understanding the enforcement landscape helps you prioritize your compliance program. Recent SEC cybersecurity enforcement actions against investment advisors have resulted in penalties ranging from $75,000 to over $1 million. Common enforcement themes include: failure to adopt reasonably designed cybersecurity policies, misleading clients about cybersecurity practices (saying you have controls you do not actually implement), failure to notify clients of data breaches in a timely manner, and inadequate vendor oversight leading to client data exposure. The SEC has been particularly aggressive about "paper programs" — firms that have written policies but have not actually implemented or followed them. Examiners test whether your policies match reality. If your policy says you encrypt all client data but your email is unencrypted, that is worse than having no policy at all because it demonstrates both a security failure and a dishonesty to clients. Beyond SEC penalties, cybersecurity failures expose RIAs to: client lawsuits for breach of fiduciary duty, state regulatory actions, loss of AUM as clients leave after a breach, errors and omissions insurance claims, and reputational damage in an industry built on trust. The investment required to build and maintain a cybersecurity program ($10,000-$30,000 annually for a small RIA) is a fraction of the potential cost of a single enforcement action or data breach. And unlike a penalty, your cybersecurity program is an asset that protects your clients and your business every day. Start with a free Cyber Defense Agent scan to see where your firm stands today. Address critical findings immediately, then systematically build your program using the steps in this guide.

Cyber Defense Agent addresses several key areas that SEC examiners evaluate: Continuous monitoring evidence — The SEC wants to see that you are proactively managing cybersecurity, not just checking a box annually. CDA provides continuous external scanning that generates timestamped evidence of ongoing security monitoring. This is exactly the kind of proactive program examiners want to see. Technical control verification — CDA verifies encryption (TLS/SSL), email authentication (SPF/DKIM/DMARC), security headers, open ports and services, and DNS security configuration. These are the external technical controls examiners assess. CDA results provide objective, third-party evidence that your controls are functioning. Framework mapping — Every CDA finding maps to NIST CSF 2.0 and CIS Controls. When an SEC examiner asks what framework you follow, you can demonstrate alignment with NIST CSF — the most recognized cybersecurity framework — supported by continuous automated evidence. Cyber Defense Score — Your score provides a quantified metric for management reporting and client communication. "Our Cyber Defense Score is 85/100 and has improved 12 points this year" is a meaningful statement for principals, compliance committees, and clients. Trust page — CDA's public trust page can be shared with clients and prospects as evidence of your cybersecurity commitment. In an industry where trust is everything, demonstrating proactive security is a competitive advantage. Examination documentation — CDA scan history, finding trends, and remediation records provide a ready-made documentation package for SEC examinations. Instead of scrambling to gather evidence when you receive an examination notice, your CDA dashboard contains months or years of continuous monitoring data. For RIAs, CDA at $149/month is the most cost-effective way to establish continuous, documented external security monitoring — a core expectation of SEC cybersecurity examinations.