There’s a document request that lands at the start of almost every SEC cybersecurity examination, and it functions less as an administrative formality than as a diagnostic. The examiner wants the firm’s written incident response program, its service provider inventory, its access-control review records, evidence of annual security training, and the name of the person accountable for the firm’s cybersecurity program.
For a firm that has been investing in security leadership, those documents exist, are current, and can be produced quickly. For a firm that has not, the scramble to respond reveals exactly the gap the examiner was looking for.
Most growing RIAs sit closer to the second scenario than the first. Not because they are indifferent to security, but because the conventional staffing response to CISO-level responsibility, hiring a full-time CISO, does not fit the economics of a growing advisory practice at the stage when the regulatory obligation arrives. The fractional vCISO model exists for that gap. Understanding when the threshold gets crossed, and what it means to cross it, is a conversation most RIA principals are not having until they are already inside an exam.
What SEC Examiners Are Actually Looking For
The SEC’s Division of Examinations has named cybersecurity a priority on its annual examination agenda every year since 2014. What that means in practice has grown considerably more specific over the same period.
The SEC’s 2026 Examination Priorities focus on governance practices, data loss prevention, access controls, account management, and incident response, including ransomware preparedness. The 2026 priorities also specifically call out how firms operationalize threat intelligence and the training controls used to address AI-assisted and polymorphic malware attacks. Examiners are not checking whether policies exist on paper. They are evaluating whether a firm can show that policies were followed. The distinction matters because most deficiencies found in examinations are not missing documents. They are programs that exist in writing but cannot produce evidence that controls were actually in force.
The categories of documents examiners typically request make this concrete. They want the written information security policy, dated and reviewed within the past year. The incident response plan, with test documentation. The vendor inventory with due diligence files. Access-control and multi-factor authentication records. Employee training completion logs. And any incident records from the review period, including how the firm detected the incident, contained it, and documented its response.
This is not a checklist a compliance paralegal can assemble in a week. It is the output of a functioning security program with an accountable owner. The amended Regulation S-P, which now applies to all RIAs following the June 3, 2026, compliance deadline for smaller entities, adds specific requirements on top: a written incident response program, a 30-day client notification process when a breach occurs or is likely to have occurred, documented oversight of the service providers that access customer information, and records that demonstrate the program is operational. The 2026 exam priorities make clear that Reg S-P compliance is an active examination focus, not a future one.
When the Economics of a Full-Time CISO Don’t Add Up
The conventional answer to CISO-level security responsibility is a CISO-level hire. For a large advisory firm or a broker-dealer with several hundred employees, that is a defensible budget decision. For a growing RIA, it rarely is.
A full-time CISO in financial services commands base compensation in the range of $250,000 to $400,000, with total cash compensation often substantially higher when incentive structures are factored in, per benchmarking from Salary.com and Cybersecurity Ventures. That is before benefits, the cost of building a security function beneath that hire, and the time required for a new executive to understand the firm’s compliance profile, custodian relationships, and technology environment.
The scope of work in a growing RIA does not match that cost structure. Security leadership at a 20- to 50-person advisory practice is not a 40-hour-per-week function. It is a defined set of recurring responsibilities: risk assessments, policy governance, vendor oversight, incident response readiness, and examiner interaction. Those responsibilities require genuine expertise but not a full-time body. Paying full-time cost for part-time work volume is an allocation problem most RIAs resolve by underinvesting in the role and hoping it holds.
The result is a familiar staffing gap. Firms either assign the CISO function informally to the COO or CCO, who carries a full book of other obligations, or they leave it unowned entirely. Both approaches hold until they do not. The most common moment they stop holding is when an examiner asks who is accountable for the security program.
The Signals That Tell You the Threshold Has Arrived
RIA principals usually ask some version of the same question: “Are we large enough to need this yet?” It is the wrong frame. The threshold is not primarily determined by headcount or AUM in isolation. It is determined by the complexity and volume of the firm’s regulatory and operational exposure.
Several signals consistently indicate that a firm has crossed the line where informal security oversight is no longer adequate.
The firm has hired beyond the founding partners.
The moment client data, system credentials, and wire authorization workflows are accessible to people outside the founding team, the access-control and training requirements take on a different character. Quarterly access reviews, a formal onboarding and offboarding security checklist, and role-based permissions are not theoretical at that point. They are the specific controls an examiner will ask to see, and they require someone who owns them consistently.
The firm is using multiple custodians and third-party platforms.
Every custodian integration, portfolio management system, client portal, and reporting tool is a point in the firm’s service provider inventory. Regulation S-P now requires that firms actively oversee those vendors: assess their security practices, include data security provisions in contracts, and have a process for receiving breach notifications within timelines the firm can act on. That is ongoing work with an owner, not a one-time review.
The firm has experienced an examination, or one is approaching.
The first examination is often the forcing function. Examiners return. The follow-up cycle for firms that received a cybersecurity or Reg S-P deficiency finding is shorter than most principals expect. Building a program in response to a deficiency is significantly more expensive and disruptive than building one before the examination arrives.
High-net-worth clients are raising security questions during due diligence. As covered in The RIA’s Competitive Edge Nobody Talks About, sophisticated prospects and their advisors evaluate a firm’s security posture as part of the relationship decision. When that question comes up, and the principal cannot answer from a documented program, the answer is effectively no, and an experienced HNW client usually knows it.
The firm’s cyber insurance carrier is asking for documentation. Insurers have tightened underwriting requirements substantially. A firm that cannot produce a written information security program, evidence of multi-factor authentication deployment, and documented incident response procedures faces higher premiums, restricted coverage, or declination. The budget math on compliance versus breach exposure changes significantly when insurance no longer functions as a backstop.
What a vCISO Engagement Actually Delivers
A fractional vCISO is not a consultant who reviews documents once a year and hands back a report. The model places a senior security leader on a structured engagement, typically 10 to 40 hours per month depending on the firm’s scope, operating with the authority and accountability of the CISO role.
In the RIA context, that means a specific set of deliverables and ongoing ownership.
The engagement starts with a security risk assessment grounded in the firm’s actual environment: its systems, custodian integrations, data flows, vendor relationships, and employee access patterns. Not a generic template. A working document that maps the firm’s real exposure and produces a prioritized remediation plan with owners and target dates.
From there, the vCISO owns the written policies and keeps them current. Information security policy. Incident response plan, with an annual tabletop exercise. Acceptable use policy. Vendor security requirements. These are the documents an examiner requests, and they need to reflect the firm’s actual operating environment rather than boilerplate language that does not hold up under follow-up questions.
Vendor oversight is one of the more time-consuming recurring functions, and one that firms consistently underinvest in. The vCISO maintains the service provider inventory, reviews vendor security postures on a defined schedule, ensures contracts include appropriate data security provisions, and monitors for the breach notifications Regulation S-P now requires vendors to deliver on short timelines.
The vCISO is also the firm’s point of accountability in an examination. When the document request arrives, there is a person who owns the response, can speak to the controls with authority, and can produce evidence that the program has been operating. Not someone assembling documentation after the request was made. That distinction shows up clearly in how examinations unfold.
A mid-range fractional engagement runs approximately $6,000 per month, or $72,000 annually, as covered in Why a Fractional vCISO Costs Less Than One Security Incident. Against IBM’s reported average financial services breach cost of $5.56 million, and against the regulatory exposure of a documented Reg S-P deficiency, that is not overhead. It is the cost of owning a function the firm cannot afford to leave unowned.
The Techvera Perspective
Most of the RIA principals I work with understand the obligation they are carrying. What they are working through is the structure that lets them meet it without staffing a function that is either too lean to hold up under scrutiny or too heavy for the business to justify at current scale.

The fractional vCISO model resolves that problem, and not just as an interim arrangement until a firm can hire full-time. For most growing advisory practices, it is the right structure for the risk profile and operating scale, full stop. Techvera’s vCIO Services provide the strategic security and compliance leadership layer growing RIAs need without the cost structure of a full-time executive hire. Our cybersecurity team delivers the underlying technical controls, and our Compliance Readiness practice handles the documentation, gap analysis, and ongoing program management that holds up under Reg S-P and SEC examination scrutiny.
The firms that handle their next examination well are not the ones that assembled a program when the document request arrived. They are the ones who put accountability in place before the examiner walked in.
If you want to understand where your firm’s program stands today, schedule a 30-minute strategy session with our team.
About the Author
Todd Mitchell
Chief Operating Officer
Todd Mitchell is the COO of Techvera, bringing operational expertise and strategic vision to help businesses transform their IT infrastructure.
