A three-phase operations guide for the person responsible for running cybersecurity compliance at an SEC-registered adviser — whether that is the CCO, IT lead, or COO. Covers what to do first, how to operate the program at steady state, and how to raise maturity over time.
Download the PDFGetting cybersecurity right is a regulatory imperative. The SEC expects written, tailored policies and procedures, annual reviews, and clear authority to oversee and enforce them. This blueprint is written for the person named in your firm's policies and procedures manual as the primary cybersecurity program owner — sometimes the CCO, but often an operations lead, IT manager, or COO.
It is equally useful if you are brand new and need to quickly understand what you have inherited, or if you are designing a program from the ground up following growth, a merger, or a provider change.
Newly appointed program owners who need to understand the current environment and stabilize it fast.
Managers inheriting responsibility from an MSP or a departing colleague.
Teams building a program from the ground up after growth, a merger, or a provider change.
Focus on core mandates, highest-impact risks, and fast evidence creation. Phase 1 deliverables are the minimum viable compliance program — the documentation any examiner will request on day one.
Draft a one-page charter describing authority, scope, decision rights, and reporting lines, and have it acknowledged in leadership minutes. Create a RACI matrix for key activities — risk assessment, policy ownership, incident response, vendor reviews, training, and the annual review. Publish an escalation path for urgent issues. Set a quarterly operating cadence with standing reviews for risk, vendors, and training.
The knowledge every program owner must have: the regulations and their specific requirements, the firm's IT infrastructure and how data flows through it, conflicts of interest and how they are managed, the compliance and operations systems in use, existing policies and procedures, and the firm's culture and executive tone on cybersecurity.
Scope the environment by listing business processes, client data flows, and critical applications. Inventory assets — endpoints, servers, cloud services, third-party tools, and privileged accounts. Map where nonpublic information lives, who can access it, and why. Identify threats and control gaps, assign a likelihood and impact rating to each risk, and write a short report covering the top risks, current controls, and remediation actions with owners and due dates.
Start with a concise policy suite covering acceptable use, access control, data protection, device management, patch management, incident response, vendor management, training, books and records, and business continuity. For each policy, add a one-page procedure explaining who does what, how often, and where evidence is stored. Create a control-to-policy map so each control has a policy reference and an evidence location.
Keep core policies short — three to five pages — and move screenshots, checklists, and templates to appendices. Adopt standard settings where possible: MFA required for all remote access, encryption enabled on all laptops, screens lock after ten minutes, critical patches within 48 hours. BrainTrust Premium subscribers can download the full Cybersecurity Policies and Procedures template, including the Reg S-P revision.
Define stages: detect, triage, contain, eradicate, recover, and review. Publish an on-call list with backups and an internal communication channel for use during incidents. Create two-page runbooks for common scenarios — phishing and account takeover, lost laptop, ransomware, vendor breach. Include notification triggers and timing for clients, regulators, law enforcement, and insurers. Keep a printed copy and an offline copy on encrypted media. Decide now which outside counsel and forensics firm you would call; their contacts belong in the plan.
Assign onboarding modules to all staff and contractors who access systems or data. Focus on phishing identification, safe data handling, device security, and incident reporting. Track completion and send automatic reminders. Capture attendance reports and store them as evidence. FieldCraft, available to BrainTrust members, automates this work for firms that need a turnkey solution.
Create a top-level folder structure: Governance, Policies, Risk Assessments, Training, Vendors, Incidents, Reviews, Evidence. Adopt a consistent naming convention — YYYY-MM-DD_Category_DocumentName_Version. Enable immutable logging where feasible and restrict who can delete records. Use checklists for each activity and save completed checklists alongside the evidence they document.
Move from setup to steady-state operations. Phase 2 is about maintaining the program through repeatable rhythms — the annual review, vendor management, tabletop testing, ongoing training, and disclosure management.
Define the review period and scope. Sample controls from each policy area. Test effectiveness: spot-check MFA coverage, patch timelines, privileged access reviews, and incident drills. Write a memo summarizing tests performed, results, incidents, and policy changes, and listing remediation actions with owners and dates. Schedule the review in the same month every year. Have an independent colleague or outside adviser sanity-check the memo before it is finalized.
Build a vendor inventory with services provided, data accessed, and system connections for each vendor. Tier vendors by risk — require higher assurance from those with NPI or network access. Collect security artifacts during onboarding and annually thereafter: security questionnaires, summaries of independent assessments, and key contract clauses on security obligations, breach notification, and audit rights. Monitor access logs for unusual vendor activity. Keep a one-page vendor profile for each provider and set a calendar reminder 45 days before contract renewals to complete annual due diligence.
Run at least one tabletop exercise per year using a realistic scenario for your firm type. Test backups and document restore times; compare results to recovery time and recovery point objectives. Update the business continuity plan to reflect lessons learned and current work patterns. Invite a business leader to the tabletop so decisions and tradeoffs are validated. Capture a short after-action report with specific improvements and deadlines.
Set an annual curriculum with quarterly refreshers and targeted modules for higher-risk roles. Run periodic phishing simulations and provide immediate feedback. Track completion and performance metrics and report them quarterly to leadership. Rotate topics based on recent incidents and observed gaps.
Maintain dated copies of privacy notices and any cybersecurity-related client communications. Document significant incidents, lessons learned, and any updates to policies and procedures. Prepare a short summary for inclusion in required disclosures as applicable under current rules — what happened, impact, response, improvements made, and date.
Review coverage annually with your broker. Confirm limits, retentions, and exclusions align to your top risks. Map policy conditions to your controls — for example, MFA requirements that must be met to preserve coverage — to avoid claim issues. Keep a one-page coverage summary in the Governance folder and update it at each renewal. Run a tabletop that includes insurance notification steps and timing.
Raise assurance and resilience as your program stabilizes. Phase 3 steps are recommended maturity investments, not baseline requirements — but they are what separates programs that pass examinations from programs that generate findings.
Schedule recurring network vulnerability scans at least annually. Track findings to closure with owners and due dates. Consider penetration testing focused on internet-facing systems and high-value targets. Implement application allow-listing to control code execution on endpoints and servers.
Enable alerts for suspicious logins, privilege changes, and unusual data access. Review privileged access monthly and remove unused accounts promptly. Implement intrusion detection. Maintain a monitoring playbook listing alerts, owners, and response steps. Begin with a small set of high-signal alerts and expand once the process is stable.
Define rules for sensitive data handling and outbound sharing across email, file transfer, and removable media. Control or disable USB storage by default. Set retention and disposal standards for NPI across systems and archives. Start with monitor-only mode to baseline normal behavior before enforcing blocks.
Automate evidence capture where possible — export MFA coverage, patch status, and training completion reports monthly. Use task boards to track remediation, vendor renewals, and review cycles. Standardize templates for reviews, tabletop reports, and annual memos. Keep automation lightweight and well-documented so it survives personnel changes.
| Item | Phase |
|---|---|
| Program owner authority documented; resources assigned | 1 |
| Initial risk assessment completed and filed | 1 |
| Core policies and procedures written, approved, and implemented | 1 |
| MFA enforced; encryption enabled for NPI at rest and in transit | 1 |
| Patch SLAs active and tracked (48 hours critical; monthly non-critical) | 1 |
| Incident response plan published; owners assigned; off-site copy stored | 1 |
| Security awareness training delivered; phishing baseline completed | 1 |
| Books and records processes live — audit trails, logs, mappings | 1 |
| Vendor inventory and due diligence framework in place | 2 |
| Annual review cadence scheduled; reporting template ready | 2 |
| Tabletop exercise completed; after-action report filed | 2 |
| Vulnerability scans scheduled; findings tracked to closure | 3 |
Cybersecurity compliance is a repeatable cycle: identify risks, set controls, train people, test and monitor, document, and improve. Start with Phase 1 to satisfy core examination expectations, lock in Phase 2 for operational resilience, and invest in Phase 3 to raise maturity over time. Keep evidence organized and dated, and align controls to your business model so your program remains right-sized and defensible.
This guide is general guidance for RIAs and does not constitute legal advice.
Enter your email to receive the PDF. The same address subscribes you to BrainTrust Free — the newsletter, starter templates, and the compliance calendar.
Get the PDF via BrainTrust Free