Cybersecurity risk is becoming harder for RIAs to separate from regulatory risk. Verizon’s analysis found that ransomware attacks rose 37% from 2024 to 2025, while vulnerability exploitation grew 34% year over year. Third-party involvement also appeared in 30% of incidents in 2025, up from 15% the year before. Those numbers raise concerns for investment advisory firms. Cybersecurity oversight now has to account for internal systems, vendor access, and the evidence behind response decisions.
In response to the relentless rise in cyberattacks, today’s SEC exams now emphasize evidence of operational cybersecurity and policies that affect the cybersecurity posture of registered investment advisors (RIAs) and other financial services firms.
RIAs should expect examiners to look past the policy binder. The harder questions are usually operational. Where is the alert? Who reviewed it? What did the firm decide? Was customer information involved? Regulation S-P makes those records more important because the firm’s response, notification, and vendor oversight obligations all rely on the same trail of evidence.
What SEC Cybersecurity Examinations Evaluate
SEC cybersecurity examinations are part of routine oversight for registered investment advisors, but they are not just a policy review. The Division of Examinations uses these reviews to understand how firms protect client data, monitor for security issues, and respond when something goes wrong. Cybersecurity has remained, in the SEC’s words, “a perennial examination priority,” so RIAs should expect examiners to ask how the program works in practice.
SEC examiners assess how well a firm protects its client data, how effectively its IT and security teams detect threats, and how it responds to security incidents. They also assess data loss prevention controls, access management, governance practices, and the maturity of incident response capabilities.
And they give more weight to data indicating how a firm actually operates than written policies that may or may not reflect that operational data. In other words, examiners want receipts. They want to see the logs, the investigation records, and the documented decisions that back up procedures referencing them.
Why Cybersecurity Oversight Has Intensified
Given the rise of cyber threats and the fact that RIAs handle sensitive financial and investor data, regulators expect them to monitor their technology stack for threats and vulnerabilities continuously. They also look for structured response capabilities. A firm that detects an anomaly but cannot show how it was investigated and resolved has, in the eyes of an examiner, a gap in its program.
The 2024 amendments to Regulation S-P require firms to maintain written incident response processes “designed to detect, respond to, and recover from unauthorized access to or use of customer information.”
Standardized breach notification timelines, written evidence of how vendors and other third parties handle sensitive data, and more are among the requirements. In other words, the regulation formalizes what good security operations should already look like and ties it to enforceable requirements. You can read more about how threat and vulnerability management support this kind of continuous oversight.
The Evidence Regulators Expect to See
SEC examiners will want to see documentation showing how firms detect, track, investigate, and resolve cybersecurity incidents. Documentation should also outline how the firm oversees third-party partners, including vendors.
Examiners also look for security event logs, incident response records, and other data to be centralized and consolidated for easy reference by both auditors and responders. For auditors in particular, centralized reporting demonstrates that a firm actively monitors threats and incidents and has repeatable processes for recording and responding to them.
How Logging and Monitoring Demonstrate Ongoing Oversight
Event logging and monitoring are really part of the same operational concept. Centralized logging aggregates activity across a company’s systems, including internal networks, cloud services, and endpoints such as laptops and mobile devices. Monitoring systems rely on logs to identify anomalies, including unusual or attempted logins.
It’s up to teams investigating logs and alerts from monitoring systems to document their findings for regulators to review.
The SEC’s 2026 Examination Priorities call out how firms operationalize threat intelligence. The long and short of it: it’s not enough to collect data; firms also need to show what they do with that data. AI-assisted tools increasingly help security teams process and act on event data more efficiently.
Demonstrating an Effective Incident Response Program
To evaluate the effectiveness of an incident response program, regulators look for defined roles and escalation paths, clearly defined response timelines, and well-documented procedures. They’ll also review incident records to evaluate how a company detects anomalies, contains threats, and plans remedial actions to safeguard client data and restore operations after an event.
In keeping with the SEC’s tightening focus on cybersecurity, Regulation S-P expands expectations for incident response and the notification of impacted parties, such as customers.
The compliance date for larger entities passed in December 2025. For smaller firms, enforcement began in June of 2026. A structured approach to the incident response lifecycle gives firms a leg up in meeting these requirements.
Vendor Risk Management in SEC Examinations
Third-party involvement in breaches doubled from 2024 to 2025, according to Verizon. Because of these expanding supply chain risks, regulators are taking a closer look at how firms manage third-party risk.
Accordingly, examiners may request written assessments of any perceived risks posed by outside vendors. They may also look for SOC 2 reports, security questionnaires for partners, and contractual language designed to mitigate third-party risks.
Remember, it’s up to you and your firm to stay on top of how your vendors and partners handle sensitive client data. Again, Regulation S-P requires incident response programs to address not just internal systems but the vendor relationships through which customer information flows.
How RIAs Can Prepare for SEC Cybersecurity Examinations
To prepare for an SEC cybersecurity exam, first ensure your firm has event-logging procedures and monitoring systems in place. But logs are only as good as your system for storing and retrieving them. So, next, confirm that you have centralized reporting systems and procedures in place.
Review and test your incident response procedures regularly. Document the results and use the findings to update your procedures. Also, document any alert investigations. And since you are responsible for how your vendors handle your client and other sensitive data, you’ll need to maintain clear, up-to-date records of vendor oversight.
Finally, keep in mind that SEC regulations and enforcement priorities change over time. Keep up with regulatory requirements and regularly update your processes, systems, and training programs. Look for the latest SEC thinking on cybersecurity at sec.gov.
Preparing for SEC Cybersecurity Examinations
Preparation for SEC cybersecurity examinations puts RIAs to the test by requiring them to demonstrate how they engage in active cybersecurity oversight. They can’t just present nicely worded, well-organized procedures and call it a day. And that’s all to the good. Besides keeping regulators happy, a mature cybersecurity program also helps you better serve your clients and increase their peace of mind.
Contact us to learn how to establish and maintain a robust cybersecurity program that meets regulatory requirements and protects client data.
