We Scored 8,802 RIAs on Cybersecurity. Here's How Your Firm Compares.
BlackSheep scanned every SEC-registered investment advisory firm with a public website — 8,802 firms — across six security categories. The average score was 57 out of 100. Only 3% earned an A. If you manage client assets, you should know where you stand.
The short version
We analyzed the publicly visible cybersecurity posture of 8,802 SEC-registered RIAs. No hacking, no penetration testing — just the controls that anyone on the internet can observe about your firm. The same things an SEC examiner, a prospective client, or an attacker would see.
The results are not good.
- Average score: 57/100 — a low C+, barely above the midpoint
- Only 3% of firms earned an A (80 or above)
- 51% scored C or below
- 98.9% have at least one high-severity gap
- 83% have no DMARC — meaning anyone can send emails pretending to be your firm
The full analysis is in our State of RIA Cybersecurity 2026 report. This post breaks down what the data means for your firm specifically.
How we scored 8,802 firms
We scanned every SEC-registered RIA with a public website across six categories:
- SSL/TLS Security — certificate validity, protocol versions, encryption strength
- Email Authentication — SPF, DMARC, and DKIM controls that prevent domain spoofing
- HTTP Security Headers — HSTS, Content-Security-Policy, clickjacking protections
- Server Configuration — exposed version information, open CORS policies, admin path leaks
- Data Protection — privacy policies, cookie handling, HTTPS enforcement
- Client Portal Security — login page protections for firms with detectable portals
Each firm received a composite score from 0 to 100 and a letter grade. Everything was collected from publicly accessible infrastructure — the same surface area visible to your clients, your competitors, and SEC examiners.
Grade distribution: where the industry lands
Here is how the 8,802 firms break down by grade:
| Grade | Score Range | Firms | Percentage |
|---|---|---|---|
| A | 80 - 100 | 263 | 3.0% |
| B | 60 - 79 | 4,031 | 45.8% |
| C | 40 - 59 | 3,863 | 43.9% |
| D | 20 - 39 | 249 | 2.8% |
| F | 0 - 19 | 396 | 4.5% |
The bulge is in the middle. Nearly 90% of firms cluster between B and C, with the average sitting at 57 — technically a C+, but one bad category away from a D. If your firm scores above 70, you are already in the top quarter. If you score above 80, you are in the top 3%.
The bottom is more populated than the top: 7.3% of firms scored D or F (645 firms), compared to just 3% earning an A (263 firms). There are more than twice as many firms failing outright as there are firms doing well.
Category breakdown: where firms are failing
The aggregate score hides the specific gaps. Here is what we found in each category.
Email authentication: the biggest gap
This is the single most concerning finding in the dataset. 83% of RIAs have no DMARC record on their confirmed email domain. That number is based on the 6,195 firms where we verified that the email platform runs on the domain being measured.
No DMARC means anyone on the internet can send emails that appear to come from your firm's domain. For firms that custody client assets or send wire instructions via email, this is not a theoretical risk — it is the exact attack vector used in business email compromise schemes that cost the financial industry billions annually.
- 83.0% — no DMARC record at all
- 54.8% — no SPF record
- Only 5%have DMARC set to "reject" (the only policy that actually blocks spoofed emails)
- 91.4%either have no DMARC or have it set to "none," which monitors but never blocks
The irony: 75.8% of RIAs use Microsoft 365, which supports DMARC, SPF, and DKIM natively. Configuration takes minutes. Firms just are not doing it.
HTTP security headers: missing basic protections
- 73.6% — no Content-Security-Policy header (vulnerable to cross-site scripting)
- 56.9% — no X-Frame-Options (clickjacking risk)
- 48.4% — no HSTS enforcement (browsers can be tricked into loading pages over HTTP)
If your firm has a client portal — and 42.8% of the firms we scanned do — these missing headers are especially dangerous. 63.1% of detectable client portals have no HSTS. 81.8% have no Content-Security-Policy. These are the pages where your clients enter their credentials.
SSL/TLS: mostly okay, with exceptions
- 14.1% — no HTTP-to-HTTPS redirect (traffic can be intercepted)
- 2.5% — expired SSL certificates (browsers show security warnings to visitors)
SSL is the one area where the industry is doing reasonably well — likely because browsers now display prominent warnings for unencrypted sites, and most hosting providers enable certificates by default.
Server exposure and configuration
- 27.0% — robots.txt exposes admin paths (tells attackers exactly where to look)
- 7.6% — open CORS policy (data theft risk)
- 6.8% — server version exposed (gives attackers your exact software version to find known exploits)
Data protection
- 46.3% — no visible privacy policy
Nearly half of RIA websites have no detectable privacy policy. For firms subject to Regulation S-P, which requires privacy notices to clients, this is a compliance gap beyond just cybersecurity.
Does firm size matter? Security by AUM tier
The assumption is that larger firms have bigger IT budgets and better security. The data does not support that.
| AUM Tier | Firms | Avg Score | No DMARC | Has Critical |
|---|---|---|---|---|
| $10B+ | 627 | 61.8 | 84.2% | 85.2% |
| $1B - $10B | 2,234 | 58.1 | 83.3% | 85.4% |
| $500M - $1B | 1,349 | 57.1 | 85.0% | 87.0% |
| $100M - $500M | 3,937 | 55.9 | 87.6% | 89.4% |
| Under $100M | 655 | 55.6 | 82.4% | 85.2% |
The $10B+ tier averages 61.8 — a low B. That is only 6 points above firms managing under $100M. And on the metric that matters most — DMARC adoption — the largest firms are actually worse than the smallest. 84.2% of $10B+ firms have no DMARC, compared to 82.4% of firms under $100M.
The likely explanation: large firms have more complex DNS configurations, more domains, and more bureaucracy around changes. Small firms that decide to fix DMARC can do it in an afternoon. A $50B RIA with 12 domains and a change management process might take months.
The takeaway for your firm: AUM does not predict cybersecurity readiness. Firms of every size are failing on the basics.
Geographic breakdown: nobody is winning
Scores are remarkably consistent across states. The spread between the highest-scoring state (Illinois, 57.6) and the lowest among major states (Colorado, 55.1) is 2.5 points — statistically negligible.
| State | Firms | Avg Score |
|---|---|---|
| New York | 1,550 | 56.9 |
| California | 1,120 | 56.6 |
| Texas | 663 | 56.4 |
| Florida | 603 | 56.7 |
| Illinois | 387 | 57.6 |
| Massachusetts | 357 | 56.8 |
| Pennsylvania | 331 | 56.0 |
| Connecticut | 292 | 57.2 |
| Ohio | 235 | 55.9 |
| Colorado | 215 | 55.1 |
This is an industry-wide problem, not a regional one. Whether your firm is in Manhattan or Denver, the gaps are the same.
What a good score looks like
The 263 firms that earned an A share common traits:
- DMARC set to "reject" — spoofed emails from their domain are blocked, not just monitored
- Full email authentication triad — SPF, DKIM, and DMARC all configured and aligned
- HSTS enabled — browsers are forced to use HTTPS, no downgrade attacks possible
- Content-Security-Policy header — cross-site scripting attacks are mitigated
- No exposed server versions — attackers cannot fingerprint their software stack
- Clean configuration — no leaked admin paths, no open CORS, no expired certificates
None of these are expensive. None require enterprise security teams. They require awareness and about a day of work for a competent IT provider.
What a bad score looks like
The 645 firms scoring D or F (7.3% of the industry) typically have cascading failures:
- No email authentication at all — no SPF, no DMARC, no DKIM
- No HTTPS redirect — some pages load over unencrypted HTTP
- Expired or misconfigured SSL certificates
- Exposed server version strings and admin paths
- No security headers of any kind
- No visible privacy policy
These firms are not just vulnerable to sophisticated attacks. They are vulnerable to automated scanners that any script kiddie can run. And they are the firms most likely to receive SEC deficiency letters under Regulation S-P — because the gaps are visible from outside the firm.
What SEC examiners are looking for
The SEC's 2026 Examination Priorities explicitly cite cybersecurity controls for investment advisers. Examiners are trained to look for:
- Written information security policies
- Annual risk assessments covering all systems with client data
- Tested incident response plans
- Third-party vendor oversight
- Access controls with documented permission reviews
- Email authentication controls to prevent client-facing fraud
Our scan measures the externally visible pieces — primarily email authentication and the general security posture that reflects whether a firm takes this seriously. Firms that fail on the controls anyone can see from the outside rarely have robust internal programs.
When examiners find gaps, the process is: deficiency letter citing Rule 206(4)-9, 90-day remediation deadline, follow-up examination, then referral to Enforcement if gaps persist. The firms scoring D or F in our dataset — 645 of them — are at highest risk. But even the 4,112 C-grade firms have gaps that examiners are trained to identify.
Check your own score
We built a free scanner that runs the same analysis we used on all 8,802 firms. Enter your domain, get your score in under 60 seconds. No email required. No sales pitch.
You will see your composite score, your grade, and exactly which controls are missing. If you are above 80, you are in the top 3%. If you are below 57, you are below the industry average — and you now know that the industry average is not a bar worth meeting.
How to fix your score
Most firms can move from a C to a B in under a day. The highest-impact actions, in order:
- Deploy DMARC with a "reject" policy. This is the single biggest improvement. It takes 30 minutes and prevents anyone from spoofing your email domain. Regulation S-P now expects this.
- Add SPF and DKIM. Together with DMARC, these form the email authentication triad. If you are on Microsoft 365 (75.8% of RIAs are), Microsoft has step-by-step guides.
- Enable HSTS. One HTTP header that forces all traffic over HTTPS. Critical if you have a client portal.
- Add Content-Security-Policy. Prevents cross-site scripting attacks. Your web host or CDN likely supports this with a configuration toggle.
- Remove server version headers. Stop telling attackers what software you run.
How BlackSheep helps
BlackSheep's RIA cybersecurity platform is built for exactly this situation. For $249/month, you get:
- Continuous monitoring — your score is tracked in real time, not once a year
- Guided remediation — step-by-step instructions to fix every gap, prioritized by impact
- SEC-ready documentation — written policies, risk assessments, and incident response plans that map to Rule 206(4)-9
- Audit trail — timestamped evidence that you identified, prioritized, and remediated each finding
You can start with the free scan to see where you stand. If you want help fixing what it finds, that is what BlackSheep does.
The average RIA scores 57/100. Find out where your firm stands.
Run your free cybersecurity scan