When an SEC examiner turns to cybersecurity, the firms that struggle are not usually the ones with weak technology. They are the ones who cannot produce evidence on demand. The answer to “tell me about your cybersecurity program” should not be a conversation. It should be a folder — organized, dated, and mapped to the rules.
This article is the consolidated version of something that appears at the end of nearly every assessment I write: the list of documents a firm should be able to hand over without scrambling. It is organized by the obligation each item supports, because an examiner is not collecting paper for its own sake. Every request is testing whether a control exists, operates, and can be proven.
Governance and the Compliance Program (Rule 206(4)-7)
These documents establish that a real, maintained compliance program exists.
- The written cybersecurity policies and procedures manual, dated and approved
- The most recent annual 206(4)-7 review, with documented findings and the changes made in response
- Evidence that the review actually occurred — not a template, but the specific discussions, decisions, and outcomes tied to the firm
- The firm’s risk assessment, identifying the risks the program is designed to address
- Records showing who owns the program and who approved material changes
The recurring failure here is the templated, non-substantive review. The SEC has a well-developed sense for documentation that was generated to satisfy the rule rather than to run the firm. The review has to read like the firm actually examined itself.
Safeguarding Customer Information (Regulation S-P)
These prove the firm protects customer information and is ready for the amended rule’s incident-response and notification obligations.
- The written incident response program addressing assessment, containment, notification determination, and post-incident review
- Documentation of the firm’s data classification and the definition of sensitive customer information it uses
- Evidence of safeguards: access controls, encryption, and the technical protections the policy claims
- The disposal procedure for customer information no longer needed
- For any past incident: the determination record, customer notices and delivery confirmations, and the 30-day timeline
Vendor and Service-Provider Oversight
Vendor oversight is now a primary exam focus, and outsourcing a function does not outsource the obligation.
- A vendor inventory, ideally tiered by access to client data or funds
- Completed due-diligence questionnaires for critical vendors, with review dates
- SOC 2 reports or equivalent assurance on file
- Contract language requiring service providers to notify the firm of a breach — the amended Reg S-P standard is no later than 72 hours
- Evidence of ongoing monitoring, not just point-of-onboarding diligence
- Documentation of follow-up where a vendor’s responses raised concerns
The contract clause is the item most often missing. Most existing MSP master service agreements do not contain a 72-hour breach notification clause, and amending them is itself a 206(4)-7 vendor-oversight artifact.
Books and Records (Rule 204-2)
- Evidence that cybersecurity compliance records — incident reports, annual review materials, policy approvals, access reviews, remediation records — are retained for the five-year period
- A consistent naming and dating convention so any artifact can be located and produced quickly
- The written procedure for preserving investigation records
Identity Theft Prevention (Regulation S-ID)
- The written Identity Theft Prevention Program, if the firm maintains covered accounts
- The documented assessment of whether the firm has covered accounts, reviewed periodically
- Evidence that the Red Flags program reflects current cyber-era threats and has been updated
Technical Evidence
This is where many firms discover the gap between “we have controls” and “we can prove it.” Depending on the environment, an examiner may ask to see:
- Multi-factor authentication enforcement evidence and Conditional Access policy reports
- Privileged-role assignments and access reviews
- Email security configuration — anti-phishing and impersonation protection, Safe Links and Safe Attachments, and SPF, DKIM, and DMARC records
- Endpoint protection coverage reports
- Data loss prevention policy documentation and a sample of logged events
- Audit log retention settings and sample audit log searches
- Internal and external vulnerability scan reports, with remediation tracking
- The written risk and threat assessment
- Recent alert-review evidence showing someone actually reviews what the tools produce
The last item is the quiet trap. A tool that is licensed and deployed but unmonitored is not a control. “We have logging” is a different answer from “here is the log review from last quarter, and here is what we did about the anomaly we found.”
Training and Awareness
- Security awareness training records, including completion by employee
- Evidence that training tests behavior, not just attendance
- Documentation of follow-up for employees who fall behind or fail simulations
The Organizing Principle
Across every category, the examiner is asking one underlying question: can you demonstrate that the control existed and operated, with evidence, at the time it mattered? If a firm cannot produce objective proof that a control was in place and functioning, the working assumption is that it was not.
The practical takeaway for a CCO is to assemble this folder before it is requested — not the week the exam letter arrives. A program that can produce these documents on demand is, almost by definition, a program that is actually being run. That is the distinction the SEC is testing for.
If you want a clear-eyed read on whether your firm could produce this folder today — and where the gaps are — that assessment is the work we do.