Is Your MSP Actually Protecting Your RIA? How to Tell

The assumption that gets RIAs in trouble

Here is how it usually works. A small or mid-size RIA hires a local managed service provider to handle their technology. The MSP sets up email, manages the network, installs antivirus, handles helpdesk tickets, and keeps things running. The RIA principal assumes "our IT guy handles security" and moves on to running the business.

The problem is that "handling IT" and "handling SEC cybersecurity compliance" are two completely different things. Your MSP is probably good at the first one. They are almost certainly not doing the second one — and they may not even know it exists.

The SEC holds you responsible, not your MSP

This is the part that catches people off guard. The SEC does not care who manages your IT infrastructure. Under Regulation S-P, the registered investment adviser is responsible for adopting written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

You can outsource the work. You cannot outsource the liability. If SEC examiners find that your firm lacks a written information security policy, has no incident response plan, and hasn't conducted a risk assessment — the deficiency letter goes to you. Not to your MSP.

What your MSP probably does

Most MSPs serving small businesses do a solid job on the operational IT side. They typically handle:

• Patch management. Keeping operating systems and software up to date.
• Antivirus and endpoint protection. Deploying and monitoring security software on workstations.
• Firewall management. Configuring and maintaining network perimeter security.
• Email hosting and administration. Setting up mailboxes, managing access, handling spam filtering.
• Helpdesk and break-fix support. Solving day-to-day technology problems.
• Backup and disaster recovery. Keeping copies of your data in case something goes wrong.

None of this is trivial. A competent MSP doing these things well is genuinely valuable to your business. The issue is not what they are doing — it is what they are not doing.

What your MSP probably does not do

The gaps almost always fall in the same places. These are the things the SEC expects you to have that your MSP has likely never mentioned:

• DMARC, SPF, and DKIM configuration.These email authentication protocols prevent attackers from spoofing your domain to send phishing emails to your clients. They are a technical control, but most MSPs don't configure them because they're not required for email to work — only for email to be secure.
• Written Information Security Policy (WISP). The SEC expects a written, documented information security program that describes your firm's safeguards. This is a compliance document, not a technical configuration. Your MSP does not write these.
• Incident response plan. A documented procedure for detecting, responding to, and recovering from a cybersecurity incident. The SEC wants to see that you have thought through what happens when — not if — something goes wrong.
• SEC examination preparation. Your MSP has never sat across from an SEC examiner. They do not know what examiners ask, what documentation they request, or how to demonstrate compliance.
• Reg S-P compliance documentation. The amended rule requires specific written policies around safeguarding customer information, including an incident response program with notification procedures. This is regulatory documentation, not an IT task.
• Vendor risk assessments. The SEC expects you to evaluate the cybersecurity practices of your third-party service providers — including, ironically, your MSP.
• Annual risk assessments.A formal, documented evaluation of threats and vulnerabilities to your firm's information systems. Not a penetration test or vulnerability scan — a compliance-oriented risk assessment that maps to SEC expectations.

The data that proves it

We did not make assumptions about what MSPs are or are not doing. We measured it.

BlackSheep scanned 8,802 RIA websites. Of those, 83% had no DMARC record configured on their email domain. That means 83% of the MSPs managing RIA email infrastructure have not configured basic email authentication — the single most effective protection against domain spoofing and client-targeted phishing.

DMARC is not obscure. It is not difficult to configure. It takes an MSP about fifteen minutes to set up. The fact that 83% of RIA domains lack it tells you something important: the MSPs managing these environments are not thinking about security from a regulatory compliance perspective. They are thinking about it from an "is the email working" perspective.

That distinction matters. Email works fine without DMARC. It just is not secure without it. And when the SEC asks whether your firm has implemented reasonable safeguards to protect client information, "our email works" is not a sufficient answer.

How to find the gaps in five minutes

You do not need to audit your MSP to figure out whether they are leaving compliance gaps. Run your firm's domain through BlackSheep's free security scan. It checks for DMARC, SPF, DKIM, SSL configuration, and other externally visible security controls.

If the scan finds issues, your MSP missed them. That does not make them a bad MSP — it makes them an MSP that is focused on IT operations, not regulatory compliance. But it does mean you have a gap that you need to fill before your next SEC examination.

This is not your MSP's fault

Let's be clear about something: your MSP is not failing you on purpose. They are doing the job they were hired to do — keeping your technology running. Most small-business MSPs serve law firms, medical practices, accounting firms, and dozens of other industries. They apply the same security playbook to everyone because for most of their clients, the same playbook works.

The problem is that registered investment advisers are not like most clients. The SEC has specific cybersecurity expectations that go far beyond keeping antivirus current and the firewall configured. Your MSP has probably never read Regulation S-P. They have probably never read the SEC's cybersecurity risk alerts. They do not know what an examiner will ask because they have never been through an examination.

That is not a criticism. It is a reality. And it means you need something in addition to your MSP — not instead of them.

The June 3, 2026 deadline makes this urgent

The amended Regulation S-P compliance deadline is June 3, 2026. The amended rule requires written policies and procedures for an incident response program, including customer notification within 30 days of a breach. It requires that these policies be reasonably designed to detect, respond to, and recover from unauthorized access to customer information.

Ask your MSP if they have read Reg S-P. Ask them if they know what the amended rule requires. Ask them if they have built you an incident response program that meets the new standard. If they cannot answer these questions, you are less than two months from a compliance deadline with work that has not been done.

BlackSheep is the compliance layer your MSP doesn't have

BlackSheep is not a replacement for your MSP. Your MSP handles IT operations — patching, helpdesk, network management, endpoint protection. BlackSheep handles the compliance layer that sits on top: the written policies, the risk assessments, the incident response plan, the SEC exam documentation, and the ongoing monitoring that proves your firm takes cybersecurity seriously.

Think of it this way: your MSP makes sure your systems work. BlackSheep makes sure your firm can demonstrate to the SEC that those systems are configured, documented, and monitored in accordance with regulatory expectations.

At $249 per month, it costs less than a single hour of compliance consulting — and it runs continuously, not once a year when someone remembers to schedule an assessment.