The SEC has moved from guidance to enforcement. This report documents what examiners actually ask for — not what the agency says it cares about, but the specific documentation requests firms receive before an exam begins.
Download the PDFCybersecurity compliance is no longer a technical checkbox — it is a regulatory obligation with direct consequences for examination outcomes, investor confidence, and firm continuity. The SEC has moved from issuing guidance to citing deficiencies and, in an increasing number of cases, bringing enforcement actions.
CCOs are expected to speak fluently about cybersecurity risk without technical training. IT managers are juggling infrastructure with audit prep, often without dedicated support. Managing partners face questions from LPs, boards, and insurers that require defensible, documented answers.
This report was written to address a specific problem: most public regulatory guidance does not match what examiners actually ask for when they arrive. The gap between the SEC's published expectations and the documentation requests firms receive in practice is real, and it is where most deficiency findings originate.
The following rules form the primary cybersecurity compliance obligations for SEC-registered investment advisers.
Often called the compliance rule, Rule 206(4)-7 requires each SEC-registered investment adviser to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules — including cybersecurity. Firms must conduct an annual review of the adequacy and effectiveness of those policies and designate a Chief Compliance Officer responsible for administering the program. The SEC interprets this rule as requiring robust cyber controls and risk management practices even though it does not mention cybersecurity by name.
Regulation S-P requires advisers to adopt written policies and procedures to protect the confidentiality of customer records and information, and to implement administrative, technical, and physical safeguards against unauthorized access. The 2024 amendments — compliance dates of December 3, 2025 for large advisers and June 3, 2026 for smaller advisers — added a written incident response program, a 30-day customer notification requirement for breaches involving nonpublic personal information, and expanded written oversight requirements for service providers.
Regulation S-ID requires RIAs that qualify as financial institutions or creditors with covered accounts to develop and implement a written Identity Theft Prevention Program. The program must identify, detect, and respond to red flags that could indicate identity theft and must be updated periodically. Examiners focus on whether the adviser has assessed which red flags are relevant to its business model and whether staff are trained to recognize them.
The SEC withdrew this proposed rule in June 2025. It is noted here because its core requirements — vendor oversight, breach response protocols, and cybersecurity governance documentation — remain embedded in examination procedures and examiner expectations regardless of the rule's withdrawal. Firms that structured programs around the proposed rule's requirements are in a stronger examination position than those that did not.
The following documentation categories are drawn from examination request lists compiled across multiple SEC examinations of registered investment advisers. These are not the categories the SEC describes in published guidance — they are the items that appear in the request lists firms receive before an examiner arrives.
Examiners request the most recent version of all written compliance and operational policies and procedures, including any amendments related to cybersecurity or safeguarding client NPI. They specifically ask for policies governing remote access and device management, data protection both at rest and in transit, patch management and software updates, access controls and privilege management, and vendor oversight for third parties with network or data access.
Firms are asked to provide evidence that physical devices and systems are inventoried, that software platforms and applications are tracked, and that network maps documenting connections and data flows — including where customer data is housed — are maintained and current.
Examiners request current documentation of employee and contractor access rights, including access levels and authorization records. They ask for records of access changes — expansions, reductions, and terminations — including the date, the reason, and who authorized each change.
The examination request asks for the firm's written incident response plan, including named roles, decision triggers, and notification steps for clients, regulators, law enforcement, and insurers. Firms are also asked for logs of any incidents that occurred during the examination period, including dates, nature of the incident, and response actions taken.
Examiners ask for documentation that cybersecurity awareness training was provided to all staff and contractors. Requests specify dates, topics covered, and which employee groups participated in each training event. Phishing simulation results are increasingly included in these requests.
Firms must produce a vendor inventory listing all third parties with access to the firm's network, systems, or data. For each vendor, examiners want a description of the services provided, whether the vendor has access to client NPI, and whether the firm has an executed contract addressing the vendor's cybersecurity and safeguarding practices.
Examiners request the firm's written business continuity plan, with specific attention to how the plan addresses recovery from a cybersecurity incident. They ask whether the plan has been tested, when the most recent test occurred, and what the documented recovery time and recovery point objectives are.
Firms are asked whether they maintain cyber insurance, the name of the carrier, the policy limits, and whether the policy covers events affecting client data. Examiners also ask how the firm would activate coverage in the event of an incident.
The examination request specifically asks for evidence of the annual compliance review — the memo or report documenting what was tested, what the results were, what incidents occurred during the period, what policy changes were made, and what remediation actions were assigned with owners and due dates.
The following is a reproduction of an SEC examination notice and information request list sent to a registered investment adviser in March 2023. Names and identifying information have been redacted. It is included here because the gap between regulatory guidance and examination reality is best understood by reading what the SEC actually sends.
The notice requests documentation across seventeen numbered categories, including organization charts, supervised person lists, compliance policies and procedures, cybersecurity and safeguarding policies, training records, access rights documentation, vendor lists, and incident history. Several requests carry specific date ranges — in this case, January 1, 2022 through the examination date.
Key observations from the 2023 request list:
The full text of this examination notice, including the complete information request list, is available in the downloadable PDF.
The following artifacts represent the minimum documentation set an SEC-registered adviser should maintain. Each item corresponds to one or more categories in a typical examination request list.
| Document | Rule | Examiner expectation |
|---|---|---|
| Written cybersecurity policies and procedures | Rule 206(4)-7 | Current version with dated revision history |
| Annual compliance review memo | Rule 206(4)-7 | Tests performed, results, remediation with owners and dates |
| Incident response plan | Reg S-P, Rule 206(4)-7 | Named roles, decision triggers, notification steps, test records |
| Training records | Rule 206(4)-7 | Dates, topics, participant groups, completion rates |
| Vendor inventory and contracts | Reg S-P (2024) | List of all vendors with NPI or network access; executed contracts |
| Access rights documentation | Rule 206(4)-7 | Current access list plus history of changes with authorization |
| Asset and network inventory | Rule 206(4)-7 | Devices, software, data flows, and where NPI is stored |
| Business continuity plan | Rule 206(4)-7 | Cybersecurity incident coverage, test records, RTO/RPO |
| Identity theft prevention program | Reg S-ID | Written program with red flags relevant to the firm's accounts |
Enter your email to receive the PDF. The same address subscribes you to BrainTrust Free — the newsletter, the starter template library, and the compliance calendar.
Get the PDF via BrainTrust Free