The SEC Examination You Are Not Ready For

In May 2024, the SEC finalized amendments to Regulation S-P that significantly expand cybersecurity obligations for registered investment advisers. The amended rule requires written incident response programs, breach notification procedures within 30 days, and documented safeguards covering the full lifecycle of customer information.

For larger firms, the compliance deadline has already passed. For smaller advisers, the deadline is June 3, 2026.

The SEC's 2026 Examination Priorities explicitly name Reg S-P compliance and cybersecurity preparedness as focus areas. These are not aspirational guidelines. They are the criteria examiners will use when they arrive.

Hyrizen conducted a national audit of email authentication infrastructure across 13,136 RIA firms registered with the SEC.

The results were direct. The majority of firms lack properly configured DMARC, SPF, or DKIM records. Many have no DMARC policy at all. Others have policies set to monitoring only, providing no actual protection against spoofing or impersonation.

Email authentication is not the whole of cybersecurity. But it is one of the most visible, verifiable indicators of whether a firm has taken basic infrastructure security seriously. It is also one of the first things an examiner or auditor can check without requesting a single document.

A firm that cannot demonstrate control over its own email domain is unlikely to satisfy a regulator asking about incident response programs, vendor oversight, or breach notification readiness.

The SEC Cybersecurity Readiness Assessment evaluates the infrastructure an examiner would see before they ever contact your firm.

You receive a written report documenting your current exposure, specific remediation steps, and a clear picture of what an SEC examination would surface.

This is not a penetration test, and it is not a compliance checklist. It is an honest evaluation of the signals your firm is already broadcasting, whether you intend to or not.

Compliance deadlines do not move. Firms that begin assessment now have time to identify gaps and take corrective action before the deadline. Firms that wait will face examination exposure without a documented remediation effort.

The SEC has been clear about its priorities. Cybersecurity is not a secondary concern. For firms that handle sensitive client data — which is every RIA — the expectation is that infrastructure reflects the obligation.

The assessment is $1,500 and includes the full written report with findings, risk evaluation, and remediation guidance.

For firms that require remediation beyond the assessment, Hyrizen provides infrastructure architecture services tailored to regulated businesses. Assessment clients receive priority scheduling and a direct path to implementation if corrective action is needed.

This assessment is informed by Hyrizen's national audit of email authentication infrastructure across SEC-registered RIA firms. Read the full findings in our 2026 RIA Email Security Audit.