What an SEC examiner actually looks for at a small RIA.

If you run a registered investment advisor in Charlotte, the rulebook you operated under five years ago doesn't exist anymore.

The SEC's Marketing Rule rewrote how you talk about performance. Regulation S-P got teeth — incident notification is now 30 days for any breach affecting customer information. The proposed cybersecurity rule (Rule 206(4)-9) is on its way, and the SEC has already been examining as if it's effective. The 2026 Division of Examinations priorities make cybersecurity, identity theft, and operational resilience top-of-list.

And if you're under $1B AUM with two staff and a part-time IT person, you're being held to the same expectations as a $50B firm. That isn't fair. It is, however, the rule.

Below is what an SEC examiner actually asks small RIAs in 2026, what evidence they want to see, and the controls that satisfy them without buying enterprise software.

What changed

Regulation S-P (revised 2024, effective 2025-2026)

The amended Reg S-P requires:

• A written incident response program that addresses the unauthorized access or use of customer information
• Notification to affected individuals within 30 days of becoming aware of a breach
• Annual review of policies and procedures
• Service provider oversight — you are accountable for vendor breaches that touch your customer data

The 30-day clock is the biggest change. It starts the moment you "become aware" — not the moment you confirm. That's an aggressive standard, and it's why a documented incident response plan with named decision-makers is no longer optional.

The proposed cybersecurity rule (Rule 206(4)-9)

Not finalized as of mid-2026, but the SEC has signaled they'll examine to its requirements regardless. The proposal requires:

• A written cybersecurity policies and procedures program
• Risk assessments documented at least annually
• Incident reporting to the SEC within 48 hours of determining a significant cybersecurity incident occurred
• Disclosure of material cybersecurity risks and incidents in Form ADV

Read that 48-hour clock again. That's not "we figured out what happened." That's "we determined it was significant." For a 5-person RIA, the gap between a phishing click and the determination needs to be hours, not days.

The 2026 Examination Priorities

SEC Division of Examinations published its 2026 priorities in late 2025. Cybersecurity is at the top, alongside identity theft prevention (Reg S-ID) and operational resilience. The Division specifically called out:

• Implementation of the amended Reg S-P
• Use of artificial intelligence and the cybersecurity risks it introduces
• Third-party service providers and supply chain risk
• Identity theft red flags programs (often badly out of date at small RIAs)

What an SEC examiner will actually ask you

From transcripts of recent exams and the SEC's published guidance, here are the questions you should expect — and the evidence the examiner wants to see.

"Walk me through your written information security program."

Not "do you have one?" — but a walkthrough. The examiner wants to see a real document with sections covering: governance, risk assessment, access controls, encryption, incident response, vendor management, training, monitoring, and an annual review log.

If your "WISP" is a 4-page template from 2019 with no signatures or update history, that's a finding.

"Show me your last risk assessment."

Same as HIPAA — they want to see a documented, dated assessment that identified threats, vulnerabilities, and mitigations specific to your firm. A vendor-provided scan report is not a risk assessment.

"Who has access to client data, and how do you know?"

An access control review. Who has admin access to your portfolio management system, your CRM, your custodian portals? When was that list last reviewed? Who left in the last 12 months — were their accounts disabled the day they left?

This last one is the most common finding at small RIAs we audit. An admin assistant who left 18 months ago still has access to Schwab Advisor Center. The IT consultant from three years ago still has a domain admin account.

"What happens when a client emails you wiring instructions?"

The classic Reg S-ID question. The examiner wants to see a written, followed procedure for verifying wire instructions out of band. "We call them" is fine — but show the call log, or the signed verification form, or the recorded call.

If a client emails new wiring instructions and your staff acts on them based on the email alone, you have a finding waiting to be cited.

"How do you protect remote workers?"

Particularly relevant since most RIAs went hybrid post-2020. Examiners want to see:

• Company-managed (not personal) devices for accessing client data, or strict MDM on personal devices
• VPN with MFA
• Encrypted hard drives
• A clean-desk policy that applies to home offices
• No printing client data on home printers without secure disposal

"What's your vendor management process?"

Inventory of every vendor that touches client data — custodians, portfolio management software, CRM, document management, financial planning tools, email, backup, cybersecurity. For each: due diligence, contract review, SOC 2 or ISO 27001 (where applicable), annual review.

Small RIAs often haven't reviewed their vendor list since onboarding the firm five years ago. That's not defensible in 2026.

"Tell me about a security event you handled."

Even if you've never had a confirmed breach, you've had events — a phishing click, a lost laptop, a vendor incident, a credential reuse alert. The examiner wants to see that you treated them seriously: documented, investigated, mitigated, learned from.

"We've never had anything happen" is the wrong answer. It signals you weren't paying attention.

The controls that satisfy the rules

You don't need enterprise security to defend a small RIA. You need defensible basics, layered, with evidence.

Identity and access

• Microsoft 365 Business Premium (or equivalent) with Conditional Access enforcing MFA on all logins
• Phishing-resistant MFA (FIDO2 keys) for principals and anyone with custodian access
• Separate admin accounts from daily-use accounts
• Quarterly access review with documented sign-off

Endpoint and email

• Managed EDR (Microsoft Defender for Endpoint Plan 2, CrowdStrike, SentinelOne, Huntress) — not consumer antivirus
• Email security with attachment sandboxing and link rewriting
• DMARC enforced on the firm's domain
• BitLocker / FileVault on every endpoint, reported via MDM

Monitoring and response

• Centralized log retention (12 months minimum)
• 24/7 monitoring with an SOC — in-house or managed
• Written incident response plan with named decision-makers and a 48-hour determination clock
• Incident response retainer with a credentialed firm

Documentation

• Annual WISP with signatures and review history
• Risk assessment refreshed annually
• Training: annual + new-hire, with sign-offs retained
• Vendor inventory with renewal dates and SOC 2 collection
• Identity theft red flags program reviewed annually

What this costs in Charlotte

For a typical 5-15 person RIA in the Charlotte metro, a defensible security and compliance posture lands in the $2,500 to $6,000 per month range — bundled. That includes managed SOC, EDR, identity, vendor management support, and the documentation an examiner expects.

Compared to the cost of a finding (a deficiency letter is enough to delay a custodian contract or an institutional mandate), it's the cheapest line on the operating budget that actually has leverage.

The bottom line

The SEC isn't trying to put small RIAs out of business. They are, however, raising the floor — and the firms that don't move with it are going to spend the next two years in remediation.

The work is straightforward. Documented program. Layered controls. Real evidence. Annual reviews that actually happen. If you can show those four things, an exam is a half-day event. If you can't, it's a multi-month engagement with deliverables you should have been building all along.

Start with the WISP. Audit your access controls. Build the vendor inventory. The rest follows.