What the manual needs to cover, how to structure it, and the evidence it must generate — for the person responsible for building or maintaining a defensible cybersecurity compliance program at an SEC-registered adviser. The full working template is available to BrainTrust Premium subscribers.
Rule 206(4)-7 requires every SEC-registered investment adviser to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act. The cybersecurity policies and procedures manual is the foundational evidence that this obligation has been met.
When an SEC examiner arrives, the P&P manual is the first document requested. Every other examination item — training records, vendor files, incident logs, access rights documentation, the annual review memo — is evaluated against what the manual says the firm does. A manual that does not match how the firm actually operates is worse than no manual, because the gap between policy and practice is itself a deficiency finding.
The manual is also the document most likely to be out of date. The 2024 Reg S-P amendments added written incident response programs, 30-day breach notification obligations, and expanded service provider oversight requirements. Firms whose manuals predate those amendments are out of compliance even if their operational controls are strong.
A compliant cybersecurity P&P manual for an SEC-registered adviser is not a single document — it is a policy suite. Each policy is short (three to five pages is the right size), covers a defined area, and is accompanied by a one-page procedure explaining who does what, how often, and where evidence is stored. Screenshots, checklists, and templates belong in appendices, not in the policy body.
The following sections represent the required coverage for a manual that will hold up under examination.
Names the program owner by title, defines their authority, describes the reporting structure, and documents the escalation path for urgent decisions. This section is the charter the mock audit and the Blueprint reference. Without it, the examiner has no way to determine who is accountable for the program.
Describes the firm's methodology for identifying, rating, and tracking cybersecurity risks. Must reference how the risk assessment is conducted, how often, who is responsible, and where results are documented. The 2024 Reg S-P amendments make the risk assessment a predicate for the incident response program — a written risk assessment is now effectively required.
Covers how access to systems, data, and privileged functions is granted, reviewed, and revoked. Must address multi-factor authentication requirements, the process for onboarding and offboarding users, how access changes are authorized and documented, and the review cadence for privileged accounts. This section maps directly to the access rights documentation request in every examination request list.
Addresses how the firm protects nonpublic personal information at rest, in transit, and during disposal. Must incorporate the 2024 Reg S-P amendments — specifically the written incident response program, the 30-day customer notification requirement for breaches involving NPI, and the service provider oversight obligations. This section must also address encryption standards, remote device management, and data retention and destruction.
Documents the firm's written incident response plan, including the stages of response, named roles, decision triggers, notification steps for clients and regulators, and the testing cadence. Per Reg S-P (2024), the incident response program must be written and must specifically address unauthorized access to customer information at service providers, not just at the firm itself.
Describes the vendor inventory process, how vendors are tiered by risk, what security artifacts are collected during onboarding and annually, what contract clauses are required for vendors with NPI or network access, and how vendor access is monitored. Under the 2024 Reg S-P service provider oversight requirements, written contracts with security obligations are no longer optional for vendors that touch customer information.
Covers acceptable and prohibited use of firm systems, personal devices, cloud services, and AI tools. Defines the training program structure — who is required to complete training, how often, what topics are covered, and how completion is documented. The technology use policy is a separate document that all employees must acknowledge in writing; the signature page is an examination artifact.
Defines patch timelines (48 hours for critical vulnerabilities is the standard used in most examination-ready programs; monthly for non-critical), describes the process for tracking and documenting patch status, and addresses how the firm handles systems that cannot be patched. Many firms rely on their MSP for patching but cannot produce the documentation — the manual must describe how that evidence is obtained and retained.
Documents the firm's continuity plan for cybersecurity incidents — not just natural disasters or operational disruptions. Must address recovery time and recovery point objectives, backup testing cadence, and how clients are notified if a cybersecurity incident affects service delivery.
Describes the firm's document retention structure, naming conventions, and evidence archive. This section is what makes the rest of the manual operational — it defines where everything lives and how long it is kept. Without it, evidence generated by other program activities cannot be produced on demand during an examination.
Addresses how AI tools are approved for use, what categories of AI use are permitted and prohibited, how AI-generated content is reviewed and retained under Rule 204-2, how AI vendors are handled under the service provider oversight requirements of Reg S-P, and where the firm's AI governance documentation lives. New section required for any firm that has deployed AI tools in client-facing or compliance-sensitive workflows.
A manual that was accurate when written but has not been updated is a liability. SEC examiners specifically ask for revision history and the dates of updates. Two practices keep a manual defensible over time.
Separate what changes from what stays the same. Policy language — the principles, the requirements, the standards — changes infrequently and should live in versioned documents with dated approval records. Evidence — completed checklists, training logs, vendor questionnaires, scan reports — changes constantly and should live in a structured archive alongside the policies it supports. Mixing the two makes both harder to maintain and harder to produce on demand.
The annual compliance review required by Rule 206(4)-7 is the natural moment to review and update the manual. The review memo documents what was tested, what changed, and what was updated. Tying manual revisions to the annual review creates a documented cycle — new regulations get incorporated, outdated sections get corrected, and the revision history accumulates year by year.
Firms whose manuals predate the 2024 Reg S-P amendments should verify the following are now addressed: the written incident response program is in place and documented, the 30-day customer notification process is defined, service provider contracts for vendors with NPI access include security and notification obligations, and the expanded scope of covered information (including information received from other financial institutions) is reflected in the data protection policy.
The MTradecraft Cybersecurity Policies and Procedures Template is a complete, working document structured for an SEC-registered investment adviser. It covers all sections described above, includes procedure language for each policy area, and incorporates the 2024 Reg S-P amendments throughout.
BrainTrust Premium subscribers also receive the Reg S-P Revised version, which restructures the data protection and incident response sections to the new requirements and includes updated service provider contract language.
| Template section | Free | BrainTrust Premium |
|---|---|---|
| Section structure and table of contents | ✓ This page | ✓ |
| Full policy language for all sections | — | ✓ |
| One-page procedures for each policy area | — | ✓ |
| Control-to-policy mapping worksheet | — | ✓ |
| Evidence archive naming guide | — | ✓ |
| Reg S-P 2024 revised version | — | ✓ |
| AI governance section (2026) | — | ✓ |
BrainTrust Premium includes the complete Cybersecurity Policies and Procedures Template, the Reg S-P revision, the AI governance section, the Incident Response Plan, and the full library of compliance documents — for $2,500 per year.
View BrainTrust Premium