Q: Does the SEC examine small RIAs for cybersecurity?

A: Yes. The SEC examines firms of all sizes and has stated that smaller firms often have the largest compliance gaps. Being small does not reduce your regulatory obligations.

Q: Are text messages on personal phones subject to recordkeeping rules?

A: Yes. If a business-related communication occurs on a personal device, it must be captured and retained. FINRA and the SEC have imposed significant fines on firms that failed to archive off-channel communications — penalties have exceeded $100 million across the industry since 2021.

Q: How often should financial firms conduct cybersecurity risk assessments?

A: At least annually, and after any significant incident, technology change, or organizational change. Both the SEC and FINRA expect risk assessments to be current and reflect the firm's actual environment.

Q: What are the penalties for cybersecurity non-compliance?

A: Penalties vary by violation but can include censure, fines (from thousands to millions of dollars), suspension, and in severe cases, revocation of registration. The SEC and FINRA have both increased the frequency and severity of cybersecurity-related enforcement actions.

Q: Do I need a SOC 2 report as a financial firm?

A: SOC 2 is not required by the SEC or FINRA, but it is increasingly requested by institutional clients and custodians. The controls required for SOC 2 substantially overlap with SEC and FINRA expectations, making it a valuable complement to regulatory compliance.

What SEC and FINRA IT Requirements Affect Washington Financial Firms?

SEC and FINRA IT requirements for Washington financial firms include maintaining written cybersecurity policies, implementing access controls and encryption for client data, preserving electronic communications in WORM-compliant format, conducting regular risk assessments, and reporting cybersecurity incidents within defined timelines. These requirements have expanded significantly in recent years, and both regulators are actively examining small and mid-sized firms for compliance.

What Are the SEC’s Cybersecurity Requirements?

The SEC has steadily increased its focus on cybersecurity for registered investment advisers (RIAs) and broker-dealers. The key requirements that affect Washington financial firms include:

Regulation S-P (Safeguards Rule)

Regulation S-P requires every SEC-registered firm to adopt written policies and procedures that address the protection of customer information. The amended Safeguards Rule, with compliance deadlines phased in through 2025-2026, significantly expanded these requirements:

Written incident response program that includes procedures for detecting, responding to, and recovering from unauthorized access to customer information
Notification to affected individuals within 30 days of determining that a breach involving sensitive customer information has occurred or is reasonably likely to have occurred
Oversight of service providers to ensure they implement safeguards for customer information they handle on your behalf
Annual risk assessment evaluating the security of customer information across all systems and processes

Regulation S-ID (Identity Theft Red Flags)

Financial firms must implement a written identity theft prevention program that detects, prevents, and mitigates identity theft. From an IT perspective, this requires:

Monitoring for suspicious account activity through automated alerts
Authentication controls that verify customer identity before granting account access
Procedures for responding to detected red flags

SEC Examination Priorities

The SEC’s Division of Examinations has listed cybersecurity as a priority focus area every year since 2020. During examinations, SEC staff specifically evaluate:

Whether written cybersecurity policies exist and are reasonably designed
How firms manage access rights and controls
Data loss prevention practices
Vendor and third-party risk management
Incident response planning and testing
The firm’s governance and oversight of cybersecurity risks

Small RIAs in Washington are not exempt from examination. The SEC explicitly targets firms of all sizes, and smaller firms often receive the most critical findings because they lack dedicated compliance and IT security resources.

What Are FINRA’s IT and Cybersecurity Rules?

FINRA (Financial Industry Regulatory Authority) regulates broker-dealers and has its own set of cybersecurity expectations that complement SEC requirements:

FINRA Rule 3110 (Supervisory Systems)

Broker-dealers must establish and maintain a system to supervise activities, including electronic communications. This means your firm must be able to capture, review, and retain supervisory records of all business-related electronic communications — email, instant messaging, text messages, and collaboration platforms.

FINRA Rule 4370 (Business Continuity Plans)

Every member firm must create and maintain a written business continuity plan (BCP) that addresses how the firm will continue operations during a significant business disruption. IT-specific elements include:

Data backup and recovery procedures
Alternate communications with customers, employees, and regulators
Alternate physical or remote access to critical systems
Regulatory reporting continuity

FINRA’s Cybersecurity Examination Checklist

FINRA publishes and regularly updates a cybersecurity examination checklist that its examiners use during reviews. Key areas include:

Governance and risk management — Does the firm have a cybersecurity program with designated responsibilities?
Technical controls — Endpoint protection, encryption, network segmentation, patch management, and endpoint security best practices
Access management — Multi-factor authentication, least privilege access, and prompt access revocation
Incident response — Written plans, testing, and regulatory notification procedures
Vendor management — Due diligence on technology providers and ongoing monitoring
Training — Regular cybersecurity awareness training for all staff

What Electronic Recordkeeping Rules Apply?

SEC Rule 17a-4 and FINRA Rules 3110 and 4511 impose strict electronic recordkeeping requirements:

WORM or audit-trail compliance. Since the 2022 SEC amendments to Rule 17a-4, firms can store records in traditional Write Once, Read Many (WORM) format or use an audit-trail alternative that preserves records and permits recreation of originals if modified or deleted. Either approach must ensure records cannot be improperly altered during the retention period.
Retention periods. Business communications must be retained for at least three years (six years for some record types). Trade-related records have their own specific retention requirements.
Accessibility. Archived records must be promptly retrievable during regulatory examinations.
Electronic communications capture. All business-related electronic communications — including personal devices used for business purposes — must be captured and archived.

The personal device issue is particularly relevant for small Washington financial firms. If advisers or brokers use personal cell phones for client text messages, those communications must be captured and retained. Firms that cannot demonstrate complete communication capture face significant examination findings.

How Do Washington State Laws Add to Federal Requirements?

Washington state’s data breach notification law (RCW 19.255.010) requires notification within 30 days of discovering a breach affecting Washington residents — aligning with the SEC’s amended Regulation S-P timeline but potentially creating dual notification obligations. Financial firms must ensure their incident response plans address both federal and state notification requirements.

Additionally, the Washington Department of Financial Institutions (DFI) may conduct its own examinations of state-regulated financial entities, adding another layer of oversight beyond SEC and FINRA.

How Should Small Financial Firms Prepare for Examinations?

Examination readiness is an ongoing discipline, not a scramble before a scheduled review. The most effective approach includes:

Maintain current written policies. Cybersecurity, incident response, BCP, vendor management, and data protection policies must be documented, board-approved, and reviewed annually.
Conduct annual risk assessments. Document identified risks, remediation plans, and the status of each remediation effort.
Test your incident response plan. Tabletop exercises at least annually, with documented results and lessons learned.
Verify recordkeeping compliance. Ensure all required communications are captured, archived in the correct format, and retrievable within a reasonable timeframe.
Review vendor agreements. Confirm that technology vendors handling client data meet your security requirements and that due diligence is documented.
Prepare an evidence package. Maintain an organized, readily accessible set of documentation that demonstrates your compliance posture — similar to what a SOC 2 audit preparation process produces.

For firms without dedicated IT security and compliance staff, partnering with a compliance-focused managed IT provider ensures that technical controls are maintained, evidence is collected continuously, and examination readiness is a byproduct of daily operations rather than a periodic fire drill.

ROI Technology Inc. provides compliance-aligned IT management for financial firms across Western Washington. Contact us to assess your examination readiness.