Frequently asked questions

BlackSheep is cybersecurity compliance software for Registered Investment Advisors. It was built by a CISSP-certified practitioner who spent 20 years in financial services cybersecurity. It covers SEC Reg S-P, NYDFS 23 NYCRR 500, NIST CSF 2.0, DOL EBSA, FINRA, and SOC 2 in one dashboard with templates, guided workflows, and evidence tracking. The templates and framework mappings come from building compliance programs for 100+ RIA firms.

Our founder holds a CISSP and has been doing financial services cybersecurity for 20 years. He was a bank CISO and then Director of Cybersecurity at a top 25 CPA firm, where he built compliance programs for 100+ RIA firms. Every one of those firms that went through an SEC exam in 2025 passed clean. BlackSheep puts that experience into software.

SEC-registered RIAs that need to get their cybersecurity compliance in order. Solo advisors use it, and so do firms with a few hundred employees. If the SEC or NYDFS regulates you and you handle client data, this is built for you.

No. BlackSheep is designed so you can run your compliance program yourself -- or alongside a consultant. The platform tracks where you stand every day with live dashboards, evidence collection, incident tracking, and reporting. Many consultants use BlackSheep to manage their clients more efficiently. Starting at $249/mo. See how we compare to other options.

Most firms finish setup in an afternoon. The onboarding wizard walks you through picking your frameworks, importing your firm details, and generating your first policies. There is no multi-week implementation.

No. It is built for compliance officers and firm principals, not engineers. Everything uses plain language and guided steps. If you can use a web browser, you can use BlackSheep.

Take the free Cyber Readiness Assessment. About five minutes, and it scores you across the major compliance areas. You will see where the gaps are before you commit to anything.

Reg S-P is the SEC's rule requiring investment advisers and broker-dealers to protect customer information. The 2024 amendments added mandatory incident response programs, 30-day breach notification, 72-hour vendor alerts, and vendor oversight requirements. Read the full Reg S-P overview.

June 3, 2026for smaller RIAs (under $1.5 billion AUM). Larger entities had an earlier deadline of December 3, 2025. If you haven't started preparing, now is the time. Read more about the June 2026 deadline.

Everything the amended rule requires: written incident response program, breach notification tracking with 30-day timelines, vendor oversight with 72-hour alert contracts, policy templates, evidence collection, and five-year recordkeeping. See the full Reg S-P feature breakdown.

The SEC can cite you in an examination, issue a deficiency letter, or bring an enforcement action. Penalties range from fines to censure. More practically, being non-compliant when a breach happens makes everything worse. Learn what happens during a failed SEC exam.

Yes. Every SEC-registered adviser must comply, no matter how small. The SEC gave smaller firms extra time (until June 2026), but the requirements are the same. See the small RIA requirements breakdown.

It is a written set of procedures your firm follows when a data breach or cybersecurity event happens -- who does what, how you contain it, how you recover. The amended Reg S-P makes it mandatory. Without one, you're not compliant. Read our incident response plan guide or check the glossary for related terms.

NIST CSF 2.0 is a voluntary framework for managing cybersecurity risk. It breaks cybersecurity down into six core functions and gives you a shared vocabulary for talking about your security program with auditors, regulators, and vendors. See the full NIST CSF overview.

Not directly -- it is voluntary. But the SEC keeps referencing NIST CSF in their guidance and exam priorities, and aligning to it shows examiners your program follows recognized practices. That matters during SEC examinations.

The Protect function lines up with Reg S-P's Safeguards Rule. Detect and Respond map to the incident response requirements. Govern covers the oversight and policy side that Reg S-P also demands. BlackSheep shows you these mappings automatically. See our NIST CSF vs Reg S-P mapping.

Govern (strategy and oversight), Identify (assets and risks), Protect (safeguards), Detect (monitoring for events), Respond (acting on incidents), and Recover (restoring operations). Govern was added in the 2.0 update. Read about the new Govern function.

It gives you a structured way to build and describe your cybersecurity program that SEC examiners actually recognize. It maps well to Reg S-P and NYDFS 500, and it scales with your firm so you're not starting over when things change. See how BlackSheep handles NIST CSF for SEC exam prep.