How to Conduct a Reg S-P Cybersecurity Risk Assessment for Your RIA

You Cannot Protect What You Have Not Measured

Updated June 2026: the Reg S-P compliance dates have passed and the rule is now in force, named an SEC FY2026 examination priority.

You cannot build a cybersecurity program without knowing what you are defending against. That sounds obvious. But a surprising number of RIAs skip this step, jumping straight to buying antivirus software or enabling multi-factor authentication without ever asking: what are our actual risks?

The amended Regulation S-P fixes that. It requires documented, reasoned safeguards for customer information. And the SEC expects you to show your work. A cybersecurity risk assessment is how you do that.

The smaller-entity compliance date was June 3, 2026, and it has now passed, so the rule is live. If your firm is not yet compliant, a documented risk assessment is the foundational step. This guide walks you through the process, with practical examples a small firm can implement right now.

What Is a Cybersecurity Risk Assessment?

A cybersecurity risk assessment is the process of identifying, analyzing, and evaluating risks to your firm's customer information and critical systems. It answers three questions:

1. What are we protecting? (Your data assets)
2. What threatens it? (Threat sources and vulnerabilities)
3. What are we doing about it? (Existing controls and gaps)

This is not a penetration test. It is not a software scan. It is a structured review of your firm's entire information security posture, documented in a format that shows the SEC you have thought carefully about where you are exposed.

Think of it as a diagnostic before treatment. You would not prescribe medication without examining the patient. A risk assessment examines your firm before you prescribe cybersecurity controls.

Why the SEC Requires It

The amended Reg S-P requires "written policies and procedures that address administrative, technical, and physical safeguards" that are "reasonably designed" to protect customer records and information.

The key phrase is "reasonably designed." The SEC does not hand you a checklist. Instead, they expect you to demonstrate that your safeguards match your firm's specific risk profile. A two-person RIA working from a home office faces different risks than a 50-person firm with multiple branches.

You cannot demonstrate that your safeguards are reasonable without first documenting what risks they are designed to address. That is what makes a risk assessment the foundational step. Everything else, your technical controls, your incident response plan, your vendor oversight program, flows from what you discover here.

SEC examiners have been explicit about this. During examinations, they ask for evidence of risk assessment. Not just evidence of controls. Evidence that you identified risks first and then chose controls in response.

The 5-Step Risk Assessment Process

The NIST Cybersecurity Framework is the most commonly referenced standard for RIAs, and the one SEC examiners are most familiar with. You do not need to implement all of NIST. But structuring your assessment around its categories (Identify, Protect, Detect, Respond, Recover) keeps you organized and defensible.

Here is a practical five-step process built for small firms.

Step 1: Identify Your Data Assets

Before you can assess risk, you need a complete inventory of where customer information lives. Most small RIAs are surprised by how many places sensitive data ends up.

Start by listing every system, device, and location that stores or processes customer information:

• CRM and portfolio management systems (Redtail, Wealthbox, Orion, Black Diamond)
• Email (Outlook, Gmail, including attachments and drafts)
• Cloud storage (Google Drive, Dropbox, OneDrive, SharePoint)
• Financial planning software (eMoney, MoneyGuidePro, RightCapital)
• Custodian portals (Schwab, Fidelity, Pershing)
• Local devices (laptops, desktops, external hard drives, USB drives)
• Mobile devices (phones and tablets used for work)
• Paper files (filing cabinets, printed statements, signed forms)
• Communication tools (Slack, Teams, text messages, voicemails)

For each asset, note what type of customer information it contains (names, Social Security numbers, account numbers, financial records) and how many client records are at stake.

Step 2: Identify Threats

Now list everything that could compromise the data you just inventoried. Group threats into two categories.

External threats:

• Phishing emails targeting staff
• Ransomware attacks
• Business email compromise (spoofed emails requesting wire transfers)
• Brute-force attacks on weak passwords
• Third-party vendor breaches
• Website or portal vulnerabilities

Internal threats:

• Employee error (accidental data exposure, sending files to wrong recipients)
• Departing employees retaining access or copying data
• Lost or stolen laptops and mobile devices
• Weak password practices
• Unauthorized software installations
• Inadequate disposal of paper records

Do not overthink this step. You are not trying to predict every possible attack. You are building a realistic list of the most likely and most damaging scenarios for your specific firm.

Step 3: Evaluate Existing Controls

For each threat you identified, document what controls you already have in place. Be honest here. The value of a risk assessment comes from accuracy, not optimism.

Common controls to check for:

• Access controls: Do you use multi-factor authentication on all systems? Who has admin access? Are permissions reviewed when staff leave?
• Encryption: Is data encrypted at rest and in transit? Are laptops encrypted with BitLocker or FileVault?
• Network security: Do you have a firewall? Is your Wi-Fi secured with WPA3? Do you use a VPN for remote access?
• Endpoint protection: Is antivirus or endpoint detection running on all devices?
• Email security: Do you have spam filtering, DMARC/SPF/DKIM, and phishing awareness training?
• Backup and recovery: Are backups running? Are they tested? How quickly could you restore systems after an attack?
• Physical security: Are offices locked? Are paper files secured? Can visitors access workstations?
• Vendor management: Do you have written agreements with your vendors covering data protection?

For each control, note whether it is fully implemented, partially implemented, or missing entirely.

Step 4: Assess Likelihood and Impact

This is where your inventory turns into a risk assessment. For each threat, rate two things:

• Likelihood: How probable is this threat given your current controls? (High, Medium, Low)
• Impact: If this threat materialized, how severe would the damage be? (High, Medium, Low)

Use a simple 3x3 risk matrix:

| | Low Impact | Medium Impact | High Impact | |---|---|---|---| | High Likelihood | Medium Risk | High Risk | Critical Risk | | Medium Likelihood | Low Risk | Medium Risk | High Risk | | Low Likelihood | Low Risk | Low Risk | Medium Risk |

Here is how a typical small RIA might rate common threats:

| Threat | Likelihood | Impact | Risk Level | |---|---|---|---| | Phishing attack on staff | High | High | Critical | | Ransomware infection | Medium | High | High | | Departing employee retains data access | Medium | Medium | Medium | | Lost or stolen laptop | Medium | High | High | | Paper file theft from office | Low | Medium | Low | | Vendor data breach | Medium | High | High | | Brute-force password attack | Low (if MFA in place) | High | Medium |

Phishing lands at the top because it is both common and devastating. Industry data shows phishing is the attack vector behind most financial services breaches.

Step 5: Document Findings and Create an Action Plan

Your risk assessment is only useful if it produces a prioritized plan for closing gaps. For every risk rated High or Critical, create an action item with:

• The risk: What the threat is and why it scored high
• Current state: What controls exist (or do not exist)
• Required action: What needs to change
• Owner: Who is responsible for implementing the fix
• Deadline: When it must be completed
• Status: Not started, in progress, or complete

Example action item:

Risk: Phishing attack leading to email account compromise

Current state: No phishing awareness training. Basic spam filter only.

Required action: Implement dedicated email security gateway. Conduct quarterly phishing simulations. Require MFA on all email accounts.

Owner: COO / IT consultant

Deadline: May 25, 2026

Status: In progress (MFA enabled, training scheduled)

Work through Critical risks first, then High, then Medium. Low risks should still be documented but can be accepted or deferred with a note explaining why.

What to Document

SEC examiners look for specific elements in your risk assessment. Make sure your documentation includes:

• Date of assessment: When it was conducted
• Assessor: Who performed it (name, title, and qualifications if external)
• Scope: What systems, data, and locations were covered
• Methodology: How you conducted the assessment (the framework you referenced, how you rated likelihood and impact)
• Asset inventory: The complete list from Step 1
• Threat inventory: The complete list from Step 2
• Control evaluation: Current state of each control from Step 3
• Risk ratings: The completed matrix from Step 4
• Action plan: Prioritized remediation items from Step 5
• Evidence of follow-through: Updates showing that action items are being completed

That last point is critical. A risk assessment that identifies problems but never addresses them is worse than no assessment at all. It proves you knew about the risk and did nothing. Keep a log of remediation progress and attach it to the assessment document.

How Often to Reassess

The SEC expects your risk assessment to be a living process, not a one-time exercise. At minimum, conduct a full reassessment annually.

Beyond the annual cycle, reassess whenever any of these events occur:

• New technology adoption: Switching CRM platforms, adding a client portal, moving to a new cloud provider
• Vendor changes: Onboarding a new custodian, IT provider, or cloud service
• Security incidents: Any breach, near-miss, or suspicious activity at your firm or a vendor
• Significant business changes: Opening a new office, hiring remote staff, acquiring another practice
• Regulatory updates: New SEC guidance or rule amendments

You do not need to redo the entire assessment each time. For interim reassessments, focus on the systems or processes that changed and update your risk ratings accordingly.

Common Mistakes

Treating it as a checkbox exercise. Copying a template off the internet and filling in generic answers defeats the purpose. The SEC wants to see that your assessment reflects your firm's actual operations, not a hypothetical firm.

Ignoring internal threats. Most firms focus exclusively on hackers and malware. But employee error and insider risk account for a significant share of data breaches. Your assessment needs to cover both.

Not involving the right people. If only the CCO fills out the assessment, you miss operational details. Include your IT consultant, office manager, and anyone who handles client data daily. They know where the real risks are.

Assessing once and forgetting. A risk assessment from 2024 does not cover the cloud migration you did in 2025. Outdated assessments are a red flag for examiners.

Skipping the action plan. Identifying risks without a remediation plan is just a worry list. The SEC expects to see that you acted on your findings.

Over-relying on vendor promises. Just because your CRM vendor says they are "SOC 2 compliant" does not mean your data is safe. You still need to assess how you use the tool, who has access, and what happens if the vendor is breached.

Getting Started Today

If you are a solo practitioner or a small firm that is not yet compliant, here is the fastest path forward:

1. Block four hours on your calendar this week. That is enough to get through Steps 1 through 3.
2. Block another four hours for Steps 4 and 5.
3. Use NIST CSF categories as your reference, but do not try to implement the full framework. Focus on what is practical for your firm size.
4. Write it down. A Word document or spreadsheet is fine. The format does not matter. The documentation does.

Your risk assessment feeds directly into every other compliance document you need: your Written Information Security Policy, your incident response plan, and your vendor management program.

If you are not sure where your firm stands on Reg S-P readiness overall, our compliance checker can give you a quick baseline. And if building all of this from scratch feels overwhelming, that is exactly what RegShield was built for.

The rule is in force, but a structured risk assessment does not need to be complicated. It needs to be honest, documented, and actionable. Start with what you know. Write it down. Fix the gaps. That is what the SEC is looking for.