April 22, 2025·9 min read

SEC Cybersecurity Exam Checklist: What Examiners Actually Ask For

SEC EXAMS (formerly OCIE) has made cybersecurity a priority examination topic every year since 2014. Here is what they actually request, what trips firms up, and a concrete checklist to prepare.

How SEC cybersecurity exams work

The SEC Division of Examinations selects firms for cybersecurity review through several channels: risk-based targeting, sweep exams focused on specific topics, and routine examinations that include a cyber component. You will typically receive a document request list (DRL) before the on-site or remote examination begins. The cybersecurity portion may be standalone or part of a broader compliance exam.

Exam staff use your own policies as the benchmark. If your Written Information Security Program (WISP) says you do something, they will ask for proof that you actually do it. Most deficiencies come from exactly that gap: the policy says one thing, the firm cannot show it happened.

What examiners reference

Exam staff pull from a few published sources when deciding what to look at:

OCIE Risk Alert (August 2017) on "Observations from Cybersecurity Examinations" identified governance, access controls, data loss prevention, vendor management, training, and incident response as core focus areas.
OCIE Risk Alert (January 2020) on "Cybersecurity: Safeguarding Client Accounts against Credential Compromise" focused on multi-factor authentication, password policies, and unauthorized account access.
Reg S-P (17 CFR 248.30) as amended in 2024, requiring written policies, incident response plans, vendor oversight, and the 72-hour notification rule for service providers.
SEC 2025 Examination Priorities listing cybersecurity and information security as a focus for investment advisers and broker-dealers.

The document request checklist

Below is a numbered checklist based on actual SEC document request lists and published risk alerts. Not every exam will ask for everything, but you should be able to produce all of these within 48 hours of receiving a DRL.

SEC Cybersecurity Exam Checklist

Written Information Security Program (WISP). Your current, board-approved cybersecurity policy covering data classification, access controls, encryption, and acceptable use.
Incident Response Plan (IRP). A documented plan with roles, escalation procedures, notification timelines (including the Reg S-P 30-day client notification and 72-hour vendor notification), and recovery steps.
Evidence of annual risk assessment. Dated risk assessment with identified threats, vulnerabilities, likelihood, impact, and mitigation actions taken.
Vendor/third-party inventory. A list of all service providers with access to customer information, including due diligence documentation and contract provisions for data protection.
Access control documentation. Evidence of role-based access, principle of least privilege, access reviews (who has access to what, and when it was last reviewed).
MFA implementation records. Proof that multi-factor authentication is enabled for remote access, email, custodian portals, and any system containing customer PII.
Employee training records. Dated training logs showing all employees completed cybersecurity awareness training, including phishing simulation results if conducted.
Incident log. A record of all cybersecurity incidents (including near-misses) for the past 3 years, with investigation notes and remediation actions.
Business continuity / disaster recovery plan. Documented BCDR plan with recovery time objectives, tested backup procedures, and results of any tabletop exercises.
Penetration testing or vulnerability scan results. Reports from any external penetration tests or vulnerability assessments conducted in the past 12-24 months.
Network diagram. A current diagram of your technology infrastructure showing data flows, segmentation, firewalls, and cloud services.
Encryption documentation. Evidence that customer data is encrypted in transit (TLS) and at rest, including key management practices.
Change management records. Logs showing how software updates, patches, and configuration changes are approved and tracked.
Board or senior management reporting. Minutes or reports showing cybersecurity was discussed at the governance level, including any decisions or resource allocations.
Cyber insurance policy. Current policy details including coverage limits, exclusions, and whether the insurer has reviewed your security posture.

Common deficiency findings

Based on published SEC risk alerts and enforcement actions, these are the most frequent problems examiners identify:

Policies that exist but are not followed. The WISP says annual risk assessments happen. There is no dated risk assessment on file. This is the most common issue by far.
No evidence of employee training. Telling staff about phishing in a team meeting does not count. Examiners want dated logs with employee signatures or electronic acknowledgments.
Incomplete vendor oversight. Firms list a few vendors but miss others with access to client data. No due diligence questionnaires on file. Contracts lack required data protection provisions.
MFA not universally applied. MFA is enabled for the custodian portal but not for email or remote desktop. Examiners check all access points, not just the obvious ones.
Stale incident response plans. Plans written three years ago that reference departed employees, outdated phone numbers, or technology the firm no longer uses.
No patch management process. Systems running outdated software with known vulnerabilities and no documented patching schedule.

How to prepare before the exam letter arrives

Do not wait for the DRL. Here is how to get ahead of it:

Run a self-assessment. Walk through the checklist above and see how many items you can produce right now. Flag gaps.
Date everything. Examiners care about dates. Undated policies, undated risk assessments, and undated training records create problems even if the content is solid.
Test your incident response plan. Run a tabletop exercise at least once per year. Document who participated, what scenario was tested, and what improvements were identified.
Review vendor contracts. Ensure each vendor with access to customer data has contractual provisions for notification timelines, data handling, and security standards. The Reg S-P amendments require this explicitly.
Centralize your evidence. If your documents are scattered across email, shared drives, and filing cabinets, pulling them together under a deadline is miserable. One system of record saves you a lot of pain.

During the exam

When examiners are actively reviewing your firm:

Respond to document requests promptly and completely. Partial responses or delays raise flags.
Designate one person as the exam coordinator. All requests and responses should flow through them.
Do not volunteer information beyond what is asked. Answer questions directly and provide requested documents.
Keep a log of every document produced and every conversation with exam staff.
If you discover a gap during the exam, begin remediation immediately. Examiners view active remediation more favorably than denial.

After the exam

You will get one of three outcomes: a clean letter (no findings), a deficiency letter listing issues to fix, or in rare cases, a referral to Enforcement. If you get a deficiency letter, respond within the requested timeframe with a concrete remediation plan and evidence that you actually did the work. Expect a follow-up.

If you want a platform that keeps your exam evidence organized and up to date at all times, see how BlackSheep works.