Exam Readiness

When the exam notice arrives, the work is already done — or it isn't.

An SEC cybersecurity examination is not a test you can study for in the two weeks between the notice and the document deadline. By the time the request list lands, the examiner is asking for records that were supposed to exist throughout the year. Either the firm has them — dated and consistent — or it is assembling them under a clock. And assembled-under-a-clock is exactly what an examiner is trained to recognize.

The Standard

What an SEC cybersecurity examination covers

The Division of Examinations does not examine cybersecurity as a standalone subject. It examines whether your cybersecurity program satisfies the obligations you already carry as a registered adviser. Cybersecurity is the lens; these rules are the substance.

Rule 206(4)-7
Written policies and procedures reasonably designed to prevent violations, reviewed at least annually, administered by a designated CCO.
Regulation S-P
Safeguard customer information, detect and respond to an incident, and prove you would notify affected individuals within 30 days.
Regulation S-ID
If you maintain covered accounts, a written Identity Theft Prevention Program that is actually operating.
Rule 204-2
The ability to produce the records — incident logs, reviews, notifications — for the required retention period.

Full detail on each: Cybersecurity Regulations Reference →

The Request List

The document request list

When the staff asks about cybersecurity, the right answer is a folder, not a conversation. The recurring categories include the written information security policy, the incident response plan, evidence of the annual review, the vendor inventory and due-diligence files, access-control and MFA records, training records, and any incident documentation from the review period. The firms that struggle are not the ones missing a policy — almost everyone has a policy. They are the ones who cannot produce the evidence that the policy was followed in practice.

What an SEC Examiner Actually Asks For: The Cybersecurity Document Request List →

The five evidence categories examiners expect

A dated, version-controlled policy with a clear revision history — not a document with no last-reviewed date.
An annual review memorandum, signed by the CCO, documenting scope, findings, and remediation status (Rule 206(4)-7).
A configuration baseline and drift evidence — proof the production environment matches the documented security posture, not just a description of intent.
An incident log and notification records covering the retention period, with timestamps demonstrating the Regulation S-P 30-day window would be met.
A vendor inventory and completed due-diligence questionnaires showing third parties with access to customer information are tracked and reviewed.

If answering "when was this last reviewed, and what changed?" requires a phone call to the MSP, the program is paper-only — and an examiner will find that out.

Recurring Gaps

Where firms fall short

The endpoint is where programs fall apart. MFA is enabled but has holes around it, and the laptop in the field is the weakest documented control. Read more →
Compliance is asserted, not proven. A scan run remotely through a tunnel is not the same as a credentialed scan inside the network. Read more →
External exposure is undocumented. Firms cannot show what the outside world can already see about their infrastructure. Read more →
Enforcement sets the bar. Recent SEC orders show the staff expects enforceable baselines and evidence-based supervision. Read more →

How MTradecraft Prepares a Firm

Assessment, plus a year of maintained evidence

Exam readiness is the product of an assessment plus a year of maintained evidence. The Cyber Risk & Vulnerability Threat Assessment (CRVT) is the flagship one-time engagement: external attack surface mapping, internal vulnerability scanning, a Microsoft 365 / Azure configuration audit, OSINT and breach-exposure analysis, and a policy review — combined into a single examination-ready report with regulatory mapping, an evidence archive, and a remediation roadmap.

What a Cyber Risk Vulnerability Threat Assessment Actually Involves →

For firms that want the file kept current year-round rather than rebuilt before each exam, the Cyber Compliance Consultant and Remote CISO engagements maintain the program on an annual cadence.

Review the Services

Common Questions

Frequently asked questions

How long does an RIA have to respond to an SEC cybersecurity exam document request?

Typically a matter of weeks from the examination notice. The practical point is that the records are expected to have existed throughout the review period, not to be created in response to the request — examiners are trained to recognize documentation generated to satisfy a request rather than to run the firm.

What documents does the SEC request in a cybersecurity exam?

Commonly the written information security policy, the incident response plan, evidence of the annual Rule 206(4)-7 review, the vendor inventory and due-diligence files, access-control and MFA records, training records, and any incident documentation from the review period.

What is the most common cybersecurity deficiency the SEC finds?

Programs that exist on paper but cannot produce evidence the controls were actually in force. Most firms have a policy; far fewer can show dated reviews, configuration baselines and drift reports, incident logs, and completed vendor due diligence that prove the policy was followed in practice.

Next Step

Tell us what's driving the timing — and we'll tell you which engagement fits.

An exam notice, an insurance renewal, a custodian attestation — every engagement starts with a real trigger. The first call is twenty minutes and there is no obligation on either side.

Click here to start a conversation →