The BlackSheep Blog
Compliance guidance for RIAs who'd rather understand the rules than pay someone to explain them every quarter.
Your Clients Can Receive Phishing Emails That Look Like They Came From You
83% of RIA domains have no DMARC. Anyone can send emails that appear to come from your firm — wire transfers, account updates, password resets. Your clients can't tell the difference.
Read moreYour Cyber Insurance Renewal Is About to Get Harder — What RIAs Need to Know
Insurers now require documented proof of MFA, IR plans, and email authentication. No documentation = denied claims or higher premiums. Here's what to prepare.
Read more55 Days Until Reg S-P: What Your RIA Needs to Do Right Now
Most firms need 2-3 months to build a compliance program. You have less than 2. Here's a week-by-week countdown plan that gets you there.
Read moreYour Fiduciary Duty Now Includes Cybersecurity — What That Means for RIAs
The SEC says protecting client assets includes protecting client data. If a client gets phished from your domain, that's a fiduciary failure — not just a tech problem.
Read moreWe Scored 8,802 RIAs on Cybersecurity. Here's How Your Firm Compares.
Average score: 57/100. Only 3% earned an A. 83% have no DMARC. See the full breakdown by category, AUM tier, and state — then check your own firm.
Read moreAre You Managing Cybersecurity Compliance or Cybersecurity Risk? You Need Both.
You can be compliant and at risk. You can be secure and non-compliant. The SEC expects both — and most RIAs are only doing one.
Read more7 Questions to Ask Your MSP Before the Reg S-P Deadline
Forward this to your MSP. Their answers will tell you whether you have a compliance partner or just an IT vendor.
Read moreTop 10 Cybersecurity Mistakes RIAs Make (From Scanning 8,802 Firms)
83% no DMARC. No documented IR plan. No vendor oversight. Count your mistakes — 0-2 means you're ahead of 97% of the industry.
Read more4 Questions Your Board Should Be Asking About Cybersecurity
Share this with your managing partner before the next board meeting. If your CCO can answer all four with evidence, you're ahead of 97% of RIAs.
Read more6 Signs Your Compliance Tool Isn't Actually Protecting You
If your tool can't tell you your DMARC status without you checking a box, it's a tracking tool, not a security tool.
Read moreThe Complete Reg S-P Compliance Checklist for RIAs (15 Items for 2026)
15 items across 5 categories. Score yourself: are you exam-ready?
Read moreWhat Your MSP Isn't Telling You (And Why It Matters for Your RIA)
8 gaps between what your MSP delivers and what the SEC requires. The 72-hour breach notification clause alone could cost you an exam finding.
Read moreCompliance Theater vs. Actual Security: Why Your GRC Tool Can't Tell You If Your Controls Work
GRC tools document controls. They don't verify them. 83% of RIAs have policies requiring DMARC but no DMARC configured. That gap is what attackers exploit and examiners find.
Read moreWhat Happens After You Sign Up for BlackSheep? Your First Week, Day by Day
Day 1: scan. Day 2: policies. Day 3: IR plan. Day 5: exam-ready. Here's exactly what your first week looks like — no surprises.
Read moreBlackSheep Pricing, Plans, and Everything You Need to Know Before Signing Up
$249/mo. Month-to-month. No hidden fees. Here's every question answered — pricing, setup, frameworks, cancellation, and how it compares.
Read moreWhat Actually Happens During a SEC Cybersecurity Exam (And How to Prepare)
How firms get selected, what documents they request, what they check technically, common findings, and what happens after. The full walkthrough.
Read moreIs Your RIA Too Small for Cybersecurity Compliance? (No. Here's Why.)
Reg S-P applies to ALL SEC-registered RIAs regardless of size. No exemption. The SEC is specifically targeting smaller firms in 2026.
Read moreYou Already Have a Compliance Solution. Is It Actually Working?
5 questions to ask about your current tool. If you answer 'no' to 2 or more, you have gaps the SEC will find.
Read more5 Best Cybersecurity Compliance Platforms for RIAs in 2026
An honest comparison of BlackSheep, Vanta, Secureframe, Drata, and traditional consultants. Who wins on price, SEC-specificity, and automation.
Read moreThe 10-Point SEC Cybersecurity Exam Checklist Every RIA Needs in 2026
WISP, risk assessment, IR plan, DMARC, MFA, encryption, vendor management, training, BCP, and board oversight. Score yourself: are you exam-ready?
Read more8 Things Your MSP Should Be Doing for SEC Compliance (But Probably Isn't)
Print this list. Send it to your MSP. If they can check all 8, you have a great IT partner. If they can't, you have a gap.
Read more5 Reg S-P Requirements Most RIAs Are Still Missing With 54 Days Left
Written IR program, 72-hour vendor clause, 30-day client notification, documented risk assessment, evidence of implementation. How many does your firm have?
Read more3 Ways RIAs Handle SEC Cybersecurity Compliance (And Which Actually Works)
Hire a consultant ($15-30K), DIY with templates ($0), or use a compliance platform ($249/mo). An honest comparison with a decision matrix.
Read moreDoes Your Cybersecurity Compliance Vendor Actually Automate Anything?
Most compliance platforms promise automation but deliver dashboards full of manual checklists. Here's what actual automation looks like — and what still needs your judgment.
Read moreShould Your Compliance Consultant Handle Your Cybersecurity Too?
Your compliance consultant can write a WISP. They can't tell you your DMARC is misconfigured. Policy without verification is just paper — here's what the SEC actually wants.
Read moreShould Your MSP Be Your vCISO? Why RIAs Need Independent Compliance Oversight
Your MSP is offering vCISO services. That's like your contractor inspecting their own work. Here's why independence matters and what it actually costs.
Read moreIs Your MSP Actually Protecting Your RIA? How to Tell
Most RIAs outsource IT to an MSP. But MSPs don't know what the SEC requires. We scanned 8,802 RIA websites — 83% had gaps their IT provider should have caught.
Read moreCybersecurity Policy Template for SEC-Registered RIAs: What to Include (And What Templates Get Wrong)
SEC examiners have seen every template. Here's what a compliant policy must include, what most templates miss, and why generated beats generic.
Read moreCybersecurity Risk Management Software for RIAs: What to Look For in 2026
Enterprise tools cost six figures. GRC tools don't scan. Here's what RIAs actually need — and how to evaluate the options.
Read moreCybersecurity Risk Assessment Software for RIAs: Automate What the SEC Requires
Self-assessment questionnaires aren't risk assessments. 83% of RIAs would check 'DMARC configured' and be wrong. Here's what real assessment software does.
Read moreThird-Party Risk Management for RIAs: What Reg S-P Requires and How to Automate It
Most RIAs have 15-30 vendors and no oversight program. Reg S-P requires 72-hour breach notification clauses in every contract. Here's how to get compliant.
Read moreWhat Does Regulation S-P Require for Investment Advisers in 2026?
The amended Reg S-P requires a written incident response program, 30-day client notification, and 72-hour vendor notification. Here's what every RIA needs to know.
Read moreHow to Build a Written Information Security Program (WISP) for Your RIA
The SEC requires written policies covering administrative, technical, and physical safeguards. Here's what goes in a WISP, what examiners check, and how to avoid the $15K consultant fee.
Read moreHow to Conduct a GLBA-Compliant Risk Assessment for Your Community Bank
The GLBA Safeguards Rule requires a written risk assessment. FFIEC examiners evaluate it against IT Handbook standards. Here's what to include and what trips banks up.
Read moreGLBA Breach Notification Requirements for Banks in 2026
Two notification paths: 36 hours to your regulator, 30 days to consumers. Missing either is an independent violation. Here's how both work.
Read moreWhat Does a Bank Cybersecurity Exam Cost and How Do You Prepare?
Exam prep typically costs $15K–$50K in consultant fees. FFIEC examiners in 2026 focus on access controls, vendor management, and ransomware response. Here's what to expect.
Read moreWhat Does NCUA Letter 26-CU-01 Require for Credit Union Cybersecurity?
NCUA's 2026 supervisory priorities put cybersecurity and payment security at the top. Here's what examiners will assess and how to prepare.
Read moreWhat Does 12 CFR Part 748 Require for Credit Union Information Security Programs?
Every federally insured credit union needs a written information security program approved by the board. Here's what goes in it and how certification works.
Read moreNCUA Cybersecurity Exam Priorities for Credit Unions in 2026
Four focus areas: payment security, vendor oversight, member data protection, and insider threats. Examiners want written documentation and evidence of testing.
Read moreDoes a Small Credit Union Need a Cybersecurity Compliance Program?
Yes. 12 CFR Part 748 applies regardless of asset size. There is no small-institution exemption. Here's what the minimum looks like.
Read moreHIPAA Security Rule Requirements for Small Medical Practices in 2026
The Security Rule is size-scalable but OCR enforces the same 8 administrative safeguards regardless of practice size. More than half of recent enforcement actions cited risk analysis failures.
Read moreThe HIPAA Security Rule Proposed Update: What It Will Require
The January 2025 NPRM removes the addressable/required distinction, mandates MFA and encryption, and requires annual asset inventories. Here's what to prepare for.
Read moreHow Much Can OCR Fine a Healthcare Provider for HIPAA Violations?
OCR levied $6.6M+ in fines in 2025. HITECH penalties range from $100 to $50K per violation with annual caps up to $1.9M. The most common citation: missing risk analysis.
Read moreHIPAA Encryption Requirements for Electronic Protected Health Information (ePHI)
Encryption is currently 'addressable' but OCR treats unencrypted ePHI as willful neglect when a breach occurs. The proposed update makes it mandatory.
Read moreThe SEC Reg S-P Deadline Is June 3, 2026. Here's What That Actually Means for Your Firm.
What changed in the 2024 amendments, who has to comply, and what happens if you're not ready. A plain-language breakdown for RIAs.
Read moreHow to Build a Reg S-P Incident Response Plan That Won't Fall Apart During an Exam
The SEC now requires a written incident response program. Here's what goes in it, how to test it, and what 'reasonably designed' actually means.
Read moreThe 72-Hour Rule: What Reg S-P Vendor Oversight Means for Your Firm
Your vendors now have 72 hours to tell you about a breach. That means you need it in writing. Here's how to handle vendor contracts, due diligence, and monitoring.
Read moreWhat Does Reg S-P Compliance Actually Cost? A Realistic Breakdown for RIAs
DIY, consultant, or software? We break down the real numbers so you can budget without guessing.
Read moreReg S-P vs. Reg S-ID: Two Rules, Two Jobs, One Firm That Needs to Handle Both
One protects data. The other catches identity theft. Most RIAs need both. Here's how they differ and where they overlap.
Read moreThe NYDFS 500 Annual Certification: What to Know Before April 15
Two filing options, dual signature, five-year retention. Here's how to prepare for the annual certification without scrambling.
Read moreThe NYDFS 500 CISO Requirement: Who Qualifies, and Can You Outsource It?
You need a CISO. But it doesn't have to be a full-time hire. Here's what the regulation actually requires and how to comply.
Read moreNYDFS 500 vs. SEC Reg S-P: Which Applies and Which Sets the Higher Bar?
One is prescriptive. The other is principles-based. If you're subject to both, here's how to build one program that covers both.
Read moreWhat Changed from NIST CSF 1.1 to 2.0 (and What It Means for Your Firm)
New Govern function, expanded scope, implementation examples. If you're still on 1.1, here's the transition roadmap.
Read moreHow to Use NIST CSF 2.0 to Prepare for Your Next SEC Exam
SEC examiners reference NIST CSF when evaluating your program. Here's how to use that to your advantage.
Read moreThe NIST CSF 2.0 Govern Function: Why It Matters More Than the Other Five
Governance sits at the center of the framework for a reason. Here's what the 6 categories cover and how RIAs should implement them.
Read moreSEC Cybersecurity Exam Checklist: What Examiners Actually Ask For
The documents SEC EXAMS staff actually request, common deficiency findings, and how to prepare before they show up.
Read moreWhat Happens If Your Firm Fails an SEC Cybersecurity Exam
Deficiency letters, enforcement actions, remediation timelines, and what it actually costs to be non-compliant.
Read moreHow to Write a Cybersecurity Policy for Your RIA (Without Hiring a Lawyer)
Section-by-section WISP breakdown covering data classification, access controls, incident response, and vendor management.
Read moreCybersecurity Requirements for Small RIAs: What Actually Applies to You
Which requirements apply to firms under 20 employees, what you can defer, and what a minimum viable compliance program looks like.
Read moreNYDFS 500 Penalties: Real Enforcement Actions and What They Cost
First American ($1M), Excellus ($5.1M), EyeMed ($4.5M). How penalties are calculated and what triggers an investigation.
Read moreRIA Vendor Management: What SEC and NYDFS Actually Require
The 72-hour notification rule, due diligence checklists, contract provisions, and a practical quarterly workflow.
Read moreHow Much Does a Cybersecurity Risk Assessment Cost? (2026 Pricing)
Consultant ($5K-$50K+), DIY ($0-$500), or software ($249/mo). Real pricing for every approach, with what regulators actually expect to see.
Read moreBest Cybersecurity Risk Assessment Tools & Software (2026)
Comparison of tools for regulated industries: BlackSheep, Vanta, Drata, Secureframe, and DIY approaches. Framework coverage, pricing, and which fits your firm.
Read more