Every examination we've sat through — SEC, FINRA, OCR, state regulators — opens the same way. There are variations in tone and sequence, but the first session almost always covers the same ground. Examiners are pattern-matching quickly, trying to determine how much scrutiny to apply to the rest of the review. The firms that answer these opening questions cleanly and confidently, with documentation in hand, see the examiner close that section and move on. The firms that can't answer them fluently spend the rest of the engagement in a defensive posture they never fully recover from.
None of these questions are trick questions. None require technical expertise to answer. They require preparation — which means having the right things built, documented, and accessible before the examiner calls.
This is the first question in nearly every technology-related regulatory review. The examiner isn't asking whether you have security controls — they're asking whether you've assessed your risks, documented your program, and kept it current.
For SEC/FINRA firms: Reg S-P requires a written information security program. The program should describe how you identify reasonably foreseeable risks, what safeguards you have in place, how you oversee service providers with access to customer information, and how you evaluate and adjust the program. A program last updated three years ago that predates your current technology environment will generate follow-up questions.
For HIPAA-covered entities: The Security Risk Analysis is a formal written assessment of the risks to ePHI in your environment. It's the foundation of your entire HIPAA compliance program. OCR has found, in virtually every enforcement action it has taken, that the Security Risk Analysis was either absent, outdated, or not actually used to drive remediation.
The right answer: Pull the document immediately, note when it was last updated, and confirm that the current technology environment is reflected in it. The examiner should be able to see that risks were identified, controls were assigned, and the document has been maintained.
Regulations requiring a security program also require someone to be accountable for it. Under HIPAA, this is the Security Officer and Privacy Officer — named individuals, not job titles that float. Under Reg S-P, the accountability sits with the firm, which typically means the CCO or a designated information security officer.
The examiner asking this question is checking for something specific: is there a human being whose job it is to care about this, or is security something that everyone is vaguely responsible for and therefore nobody owns? Vague ownership is the first indicator of a governance gap.
The right answer: A named individual, their title, and a brief description of how the security function is structured — including whether it's supported by external expertise (vCISO, vCCO) and how that relationship works.
Business continuity and disaster recovery are core requirements under every major regulatory framework. The examiner asking this question isn't looking for a backup software screenshot — they're looking for evidence that recovery has been tested, documented, and that leadership knows the firm's actual recovery posture.
Recovery Time Objective and Recovery Point Objective should be documented and known to leadership. "We have backups" is the beginning of an answer, not the end of one.
The right answer: A recent backup health report showing coverage of critical systems, backup job success rates, and storage health. Documentation of the last recovery test — date, scope, result, and how long recovery actually took.
Access control failures are among the most common findings in technology-related regulatory reviews, and the most consistently preventable. Former employees retaining access to systems after termination is a pattern that appears in enforcement actions across every regulated sector.
The examiner is asking about process, not just controls. Do you have a defined procedure? Is it documented? Does it include all relevant systems — not just Active Directory, but email, cloud applications, VPN, client portals, and any SaaS tools the employee used? Is it followed consistently or only when someone remembers?
The right answer: A documented offboarding checklist that covers all access vectors, evidence that access reviews are performed regularly to catch any gaps, and ideally an automated workflow that initiates the process the moment HR marks someone as terminated.
Most regulated firms have some version of an incident response plan. Fewer have a plan that's current, accessible, and has been exercised before it was needed. The gap between having a plan and having a usable plan is where firms discover the problem at the worst possible time.
A tabletop exercise — walking leadership through a simulated incident scenario to identify gaps in the response workflow — is the standard way to test an IRP without an actual incident. Examiners increasingly expect to see evidence of tabletop exercises, not just the existence of a document.
The right answer: A current IRP that covers detection, containment, notification, and recovery. Documentation of the last tabletop exercise — when it was held, who participated, what gaps were identified, and what was remediated afterward. Under Reg S-P's amended notification requirements, the plan should specifically address the 30-day customer notification clock.
Third-party risk management is a growing focus across every regulatory framework. Under HIPAA, Business Associate Agreements are required for every vendor that creates, receives, maintains, or transmits PHI on your behalf. Under Reg S-P, firms must oversee service providers with access to customer financial information. Under the ABA's guidance on cybersecurity, attorneys must take reasonable steps to ensure that vendors handling client information provide adequate protections.
The examiner asking this question is checking whether you know who has your data. Many firms don't. The scheduling software, the billing service, the transcription tool, the AI assistant an associate started using last quarter — each of these may be handling regulated data, and the question of whether appropriate agreements are in place is the question of whether your data governance program extends beyond your own walls.
The right answer: A vendor register that lists all service providers with access to regulated data, the data categories they handle, and the status of relevant agreements. This list should be maintained continuously, not reconstructed from memory when the examiner asks.
Firms that answer these questions confidently and immediately — pulling documents rather than searching for them, naming owners rather than pausing to think — signal that they've built a governance program, not assembled one for the exam.
Firms that take time to find documents, aren't sure who the named owner is, or say "our IT provider handles that" without knowing the details — signal the opposite.
The examination doesn't end after these six questions. But how they go sets the tone for everything that follows.
None of these questions require expensive technology or large teams to answer well. They require intention — building and maintaining a governance program that treats these questions as operational reality, not examination preparation. The firms that answer them cleanly don't prepare for audits. They operate in a way that makes preparation unnecessary.