Regulatory

RIA cyber: what FINRA and SEC examiners are now asking about

Cybersecurity has become a top-five exam priority for SEC and FINRA in 2025–2026. Here's what the examiners are asking, and how your insurance posture maps to it.

Julius Roderer Co-Founder & CEO May 2, 2026

The SEC’s Division of Examinations has named cybersecurity a top exam priority every year since 2021. FINRA followed. By 2026, “cyber” is no longer a niche exam topic — it’s a structural part of the exam letter for any registered investment advisor, broker-dealer, or hybrid firm.

The exam questions have professionalised. Examiners aren’t asking whether you have “cybersecurity policies” in the abstract; they’re asking specific, evidence-based questions, and they expect specific, evidence-based answers. Insurance comes up directly in that conversation.

Here’s what RIA firms should expect — and what to have in place before the exam letter arrives.

What examiners are now asking

Five themes dominate cyber-related exam questions in 2026:

1. Identity and access management

How are access privileges granted and revoked? When an employee leaves, how quickly are credentials disabled? Is multi-factor authentication enforced for all remote access, all administrative access, and all access to client data? Examiners want specific timeframes and audit logs.

2. Vendor management and third-party risk

Custody platforms, trade-execution providers, document management, CRM, email — each is a third-party with access to client data. Examiners want documented vendor due diligence, contractual cybersecurity obligations, and evidence the firm is monitoring vendor performance.

3. Incident response and disclosure

What’s the documented incident response plan? When did you last test it? On a cyber event, how would you notify regulators, clients, and the SEC (where Item 106 disclosure or Reg S-P apply)? Examiners look for a tabletop exercise log.

4. Funds transfer and social engineering controls

For RIA firms specifically: what controls prevent fraudulent wire transfer instructions? Verbal verification on every wire change? Multi-person authorisation for outbound transfers above a threshold? Documented compliance with the firm’s own procedures?

5. Insurance posture

This is newer. Examiners are increasingly asking firms to describe their cyber insurance, the limits, the carrier, and how the cover would respond to specific incident types. They want to understand whether the insurance posture is consistent with the firm’s stated cybersecurity risk profile.

What the insurance should look like

The RIA-specific cyber programme that lines up cleanly with current exam expectations has four properties:

1. Affirmative regulatory defence

Cover for the cost of responding to SEC, FINRA, state regulator, and self-regulatory inquiries arising from cyber events. The form should explicitly include the cost of responding to non-litigation regulatory questions, not just defense of formal proceedings.

2. Funds-transfer fraud as a primary limit

For any RIA managing client money or facilitating client transfers, social-engineering / funds-transfer fraud cover at a meaningful primary limit — sized to the dollar volume of client transactions, not a token sub-limit. This is the loss type most likely to actually hit a firm and the one most cyber forms are weakest on.

3. Privacy liability covering Reg S-P scenarios

When client data is breached, the firm has Reg S-P notification obligations and may face client claims. The cyber form should cover the cost of notification, regulatory engagement, and third-party claims by clients.

4. Coordination with E&O

When a cyber breach also exposes the firm to fiduciary or suitability claims (e.g., client trades fraudulently executed during a credential breach), the cyber and E&O forms have to coordinate. A specialty RIA E&O carrier is the right home for this; some carriers write cyber and E&O as a single coordinated programme.

What to do before the next exam cycle

Three concrete moves:

  1. Review the cyber form against the exam expectations. Specifically: regulatory defence breadth, funds-transfer fraud limits, and form coordination with E&O. If any of the three is weak, the renewal is the time to fix it.
  2. Document the cybersecurity programme. Not just policies — actual evidence. MFA enforcement reports, access provisioning logs, vendor security questionnaires, tabletop exercise summaries. Examiners want to see the file.
  3. Make sure the broker is in the exam loop. If a cyber event triggers a regulatory inquiry, the broker should be on the response team alongside compliance and counsel.

The exam is going to ask. The insurance posture should already answer.

Related on Nomos

Where this lives on the site.

Cyber liability Professional liability Directors & officers Financial advisors & RIAs
About the author

Julius Roderer

Co-Founder & CEO

Julius's career spans from insurance to frontier computational neuroscience research. He was an investment banking associate at UBS covering insurance, and an AI researcher at Imperial College London. He holds an MSc in Artificial Intelligence from Imperial (with Distinction) and a BSc in Economics from the London School of Economics (First Class Honours).

LinkedIn →
Get a quote

One programme,
for the whole firm.

Tell us about your firm. We'll come back with cover sized to your real risk — and we respond within an hour, any time.

Whole-firm view across every line
Quotes in days, not weeks
Reply within 1 hour, any time
Specialty and admitted markets, one programme

Request a quote

We'll get back to you with options.

We respond within 1 hour — any time, not 24.

No obligations. No spam.