Cybersecurity Requirements for Small RIAs: What Actually Applies to You
Running a five-person RIA does not exempt you from cybersecurity compliance. But nobody expects you to run the same program as a 500-person firm. Here is what actually applies to you and how to build something workable without blowing your budget.
The SEC does not have a "small firm" exemption
This catches people off guard more than anything else. Reg S-P (17 CFR 248.30) applies to every SEC-registered investment adviser regardless of size. The 2024 amendments apply the same way to a $50 million AUM firm with three employees and a $50 billion firm with 500. The SEC uses a "reasonably designed" standard, which means the specific measures should be proportional to your firm, but the obligation to have written policies, an incident response plan, and vendor oversight is not optional.
Under Rule 206(4)-7 of the Advisers Act, every registered adviser must adopt and implement written compliance policies and procedures reasonably designed to prevent violations. This has been interpreted to include cybersecurity policies since at least 2015.
NYDFS exemptions for small businesses
Unlike the SEC, the NYDFS does provide limited exemptions for smaller entities under 23 NYCRR 500.19. You may qualify for a partial exemption if your firm:
- Has fewer than 20 employees and independent contractors
- Generated less than $5 million in gross annual revenue in each of the last three fiscal years
- Has less than $10 million in year-end total assets
If you meet these thresholds, you are exempt from some requirements including: CISO designation (500.4), penetration testing and vulnerability assessments (500.5), audit trail requirements (500.6), specific application security provisions (500.8), and some of the detailed cybersecurity program requirements in 500.2.
However, even with the limited exemption, you still must comply with: written cybersecurity policies (500.3), access controls and identity management (500.7), risk assessments (500.9), third-party service provider security (500.11), incident notification (500.17), and encryption requirements (500.15).
What every small RIA must have
Regardless of which regulator oversees you or whether you qualify for exemptions, this is the floor:
Minimum viable compliance program
- 1.Written Information Security Program (WISP). Written policies covering data protection, access controls, incident response, vendor management, and training. Must be reviewed at least annually.
- 2.Incident Response Plan. A documented plan with roles, escalation steps, notification timelines (30 days for clients under Reg S-P, 72 hours for NYDFS), and recovery procedures.
- 3.Annual risk assessment. A dated document identifying threats, vulnerabilities, and how you mitigate them. Does not need to be elaborate for a small firm.
- 4.Vendor inventory and due diligence. A list of all service providers with access to customer data, with evidence that you assessed their security practices.
- 5.Employee training records. Documented annual cybersecurity training for all staff, with completion dates and acknowledgments.
- 6.MFA everywhere. Multi-factor authentication on email, custodian portals, CRM, cloud storage, and any remote access. This is the single highest-impact security measure.
- 7.Encryption. TLS 1.2+ for data in transit. Encryption at rest for customer PII in databases and file storage.
What you can realistically skip (or defer)
If you are a small firm with limited budget and staff, here are areas where you can take a proportional approach:
- Formal penetration testing. If you qualify for the NYDFS limited exemption, you are not required to conduct annual pen tests. The SEC does not mandate them either. However, running a vulnerability scan (which is much cheaper and can be automated) still makes sense.
- Dedicated CISO. Small firms covered by the NYDFS exemption do not need a designated CISO. For SEC-only firms, there is no CISO requirement. Your CCO can own the cybersecurity program.
- SOC 2 certification. No regulator requires your firm to be SOC 2 certified. It is a nice-to-have for larger firms or those marketing to institutional clients, but it is expensive and time-consuming for a 5-person RIA.
- Enterprise-grade SIEM tools. You do not need a six-figure security information and event management platform. Basic logging through your cloud provider (Microsoft 365 audit logs, Google Workspace logs) combined with regular review is proportional for a small firm.
What you cannot skip regardless of size
- Written cybersecurity policies (WISP)
- Incident response plan
- Vendor due diligence for service providers handling customer data
- Annual employee cybersecurity training
- Annual policy review and risk assessment
- Multi-factor authentication
- Breach notification procedures
These apply under both SEC and NYDFS rules regardless of how small you are.
What it costs for a small firm
- Compliance platform (policies + tracking + evidence)$200 - $500/mo
- Annual cybersecurity training (per employee)$25 - $100
- Automated vulnerability scanning$0 - $200/mo
- Cyber insurance (small RIA)$2,000 - $5,000/yr
- Realistic annual total$5,000 - $15,000
Compare that to paying a consultant to build the program ($15,000 to $50,000 up front) or dealing with an enforcement action ($100,000+). Ten grand a year looks reasonable next to those numbers.
The "reasonably designed" standard works in your favor
The SEC does not expect a 5-person RIA to have the same security infrastructure as Goldman Sachs. The "reasonably designed" standard in Reg S-P means your controls should be proportional to the nature and scope of your activities, the sensitivity of customer information you handle, and the size and complexity of your firm.
What examiners actually care about is that you thought about it, wrote it down, and did what you said you would do. A small firm with a solid 25-page WISP, documented training, MFA everywhere, and a tested incident response plan is in better shape than a big firm sitting on a 100-page policy nobody reads.
If you want to build that program without hiring a consultant, BlackSheep starts at $249/month and is designed specifically for small to mid-size RIAs.