RIAs commonly ask us for an "RIA cybersecurity policy template." Since wealth management firms vary so widely, we've found that it's challenging to create a one-size-fits-all template.
Instead, we offer this Cybersecurity Policy Checklist for RIAs. This is designed to help you figure out what kinds of questions you need to answer in order to have an Information Security policy that both keeps you safe and would satisfy an auditor from the SEC.
Please note that some firms break some of the following cybersecurity policies into separate documents, and some prefer to keep them in a single document. Feel free to adjust the format based on what makes the most sense for your firm.
For personalized support and expert advice, Reach out and schedule a consultation. We're here to support.
We typically open the RIA cybersecurity policy with an overview of the firm, the scope of the policy, the applicable regulations (which your lawyer can help you determine), and the sanctions for employees that don't follow the policy.
1.1 Purpose and Scope
What specific business activities and assets does this policy cover?
Which specific regulatory requirements must the policy address (e.g., SEC, FINRA, NYDFS, other state laws)?
Who is subject to this policy (employees, contractors, vendors, etc.)?
1.2 Policy Management and Enforcement
Who has ultimate responsibility for the policy (typically CEO, CFO, COO)? And is the day-to-day work delegated to anyone (typically CCO, IT Director, etc.)? This should be an employee.
How often must the policy be reviewed and updated?
What is the process for communicating policy updates?
1.3 Regulatory Framework
Which specific SEC regulations does this policy address?
What state privacy laws apply to the firm's operations?
How does the policy ensure FINRA compliance?
Do any privacy regulations like GDPR or CCPA apply to your firm?
What documentation is required to demonstrate compliance?
PRO TIP: if you have clients in New York, NYDFS has one of the most stringent privacy laws in the country.
1.4 Enforcement and Disciplinary Actions
What constitutes a policy violation, and what are examples?
How are violations reported and investigated (e.g., named person, whistleblower, etc.)?
What is the escalation process for serious violations (typically ranging from warnings to termination)?
2. Data Classification and Handling
In this section of the RIA cybersecurity policy, we define what "crown jewels" the firm handles, where it's stored, and the rules for where sensitive data can and can't be stored.
2.1 Data Classification
What kinds of sensitive data does the firm have (e.g., account numbers, social security, driver’s license, etc.)?
Where is sensitive data allowed to be stored?
Where is it NOT allowed to be stored?
Who is allowed to access it?
Is sensitive data tagged or flagged in any way and, if so, how?
2.2 Data Storage and Transmission
Where can different types of data be stored (sensitive and otherwise)?
Where should sensitive data NEVER be stored?
How can sensitive data be transmitted internally and to external parties? What security and encryption requirements exist?
2.3 Data Retention and Disposal
How long must different types of data be retained?
What are approved methods for data disposal, and specifically destruction of media that contained sensitive data?
How is data destruction verified?
What documentation is required for data disposal?
PRO TIP: Data retention requirements are typically defined by your attorney in a records retention or books and records retention schedule. Then your I.T. team can take those requirements and implement them in various systems.
3. Roles and Responsibilities
This section of the policy spells out the key responsibilities for the security program for all levels of the firm.
3.1 Executive Management / Board of Directors
How do executive management and/or the Board of Directors receive reports on the firm's security program?
What metrics are shared?
How often are security briefings provided?
Who is required to participate?
3.2 Security Team
What are the CISO's responsibilities?
Who comprises the security team, both employees and external vendors?
What security metrics are tracked?
PRO TIP: We find it's helpful to build a security compliance calendar for the CISO of weekly, monthly, quarterly, and annual tasks as part of the policy.
3.3 Employee Responsibilities
What are general staff security duties (e.g., some companies have their employees leave computers turned on a day a week to receive patches)?
What trainings are employees required to participate in?
How should they report suspected incidents?
How should they report suspected phishing attempts?
PRO TIP: Most companies will create a signature form (or add a signature block) for employees to sign and acknowledge that they have read the security policy, and agree to abide by it.
4. Access Control and Authentication
In this section of the RIA cybersecurity policy, we describe who decides which employees can access which data, and what kind of password and MFA requirements are involved. We also define who has administrative/privileged access.
4.1 Access Management
For the systems that house sensitive data described back in section 2, how is employee access granted and revoked?
What is the process for requesting access changes? Who approves them (typically compliance), and who implements them (typically I.T.)?
How are access rights reviewed?
What access documentation is maintained?
What process is followed when new employees are hired?
What process is followed when employees are terminated or quit?
Is the process different if it's a "bad" termination?
PRO TIP: depending on your size and how often you add and remove staff, you may want to consider doing reviews of who has access to which systems quarterly or semi-annually. Smaller, more stable firms may only need to do this once a year.
How is multi-factor authentication implemented, and what type?
What are lockout requirements on inactivity? Shorter is better!
What are lockout requirements for multiple failed password attempts?
Who is monitoring for frequent failed logins, and how?
4.3 Privileged Access
Who can have administrative access? This question applies both to your staff and your outsourced vendors, and should be VERY limited.
How is privileged access monitored and controlled?
What extra controls exist for privileged accounts?
How often is privileged access reviewed?
PRO TIP: It's common in smaller firms to see employees who are also set up as Administrators. If a hacker were to get into your account, they'd have full control over all of your systems. A better practice is to set up a dedicated Admin account, and then separately have your "daily driver" account set up as a Standard user.
5. Network and System Security
This section of the policy describes technical measures that protect your network, computers, mobile devices, and remote connections.
5.1 Asset Management
How and where are assets (computers, mobile devices, network equipment, etc.) tracked, and by whom?
How often is the asset inventory? It's preferable to do this automatically, but at a minimum should be done annually.
What process is followed to buy and configure new assets?
What process is followed to decommission and dispose of old assets?
What process is followed when assigning old assets to new people?
5.2 Network Protection
What network security controls are required (e.g., firewalls, SASE)?
How is network access controlled?
What network monitoring exists?
How are network changes managed (requests, approvals, and changes)?
5.3 Computer Security
What security tools are required to be on all computers?
How and how often is the inventory of computers and the list of security tools reconciled to make sure there are no gaps?
How are security patches managed, and by whom?
What are the SLAs for applying security patches, based on the risk level?
Are you following any computer hardening standards (like Microsoft or CIS) and, if so, who is responsible for implementing?
How are computers monitored for security issues, and by whom?
5.4 Encryption Requirements
When is encryption required?
What encryption standards are used?
How are encryption keys managed?
How is encryption verified?
PRO TIP: When thinking about encryption, you need to consider both "encryption at rest" and "encryption in transit" for each of the systems that store or can access sensitive data. This includes computers, mobile devices, cloud services, network devices, etc.
5.5 Email Security
Are employees allowed to email sensitive data and, if so, how is email encryption implemented?
Are employees allowed to receive and store sensitive data in their email?
What measures to prevent email spoofing (SPF, DKIM, and DMARC) are in place?
What email monitoring exists?
5.6 Mobile Device Management
What mobile devices are permitted? Do you only allow company-owned phones, personal phones, or a mix?
What security controls are required?
How are mobile devices monitored and managed?
How are new mobile devices approved, and by whom?
What happens if devices are lost or stolen? What should users do, what should I.T. do?
Are there any minimum configuration standards (e.g., passcode length, encryption, patching) that must be applied to mobile devices before they can access work systems?
This section of the RIA cybersecurity policy is usually fairly long. It spells out who does what during cybersecurity incidents, and also steps that the firm will take to prepare for and lessen the impact of incidents. This article on our site points to helpful templates.
6.1 Incident Response Plan
What is the definition of a security incident?
What are common examples of security incidents?
What is the escalation process that should be followed if a security incident is suspected?
Who is the team that will convene to evaluate and respond to the incident? Both employees and vendors.
How can these team members be contacted if the security incident affects your email, chat, etc.?
Who is responsible for documenting the incident, and where are the reports and evidence stored?
Who has the authority to engage outside experts like cybersecurity insurance, legal counsel, digital forensics, etc.?
Who will make the decision about notifying outside parties (clients, partners, vendors) about an incident?
What is the order of operations of handling the incident? For example, the safety employees is probably the highest priority, while the post-lesson debrief is probably one of the last things you will do.
PRO TIP: The SEC wants you to specifically address a few unusual incidents in your policy:
What happens if someone unauthorized joins a video call (like Zoom or Teams)?
Vendor-related incidents should be tracked and logged like internal incidents.
6.2 Business Continuity
For each core system, how are backups managed?
Are backups encrypted and have very limited access? If so, by whom?
Are backups kept in a place that's disconnected from your corporate network, to protect against ransomware?
Who is allowed to declare a "disaster" or "business continuity" event, and in what order are people called?
How and how often is your business continuity tested? Should be at least once a year.
If your main work area is not available due to a disaster, where are people meant to work? And what safety protocols are in place to make sure that the security in the new location is same as the old location?
How often are tabletop exercises performed, and how? Should be at least annually.
PRO TIP: Some RIA firms have an annual "work from home" day as a business continuity test.
7. Security Awareness
In this section of the RIA cybersecurity policy, define how you train your team to follow good security practices.
7.1 Training Program
What security training is required, and how often?
How is training effectiveness measured?
How are new employees trained upon joining the firm?
What training records are maintained?
How is completion tracked?
7.2 Security Awareness
Who is responsible for sending security updates out to staff, and how often?
As a firm, do you want to send cybersecurity updates out to clients? If so, how often?
7.3. Social Engineering Tests
How and how often are phishing tests sent to employees?
Are other social engineering tests (like QR codes, SMSishing, Vishing, etc.) sent to employees?
What failure rate metrics are you targeting?
What process will you follow when employees fail social engineering tests?
This part of the RIA cybersecurity policy describes how you onboard new vendors, and how you make sure that your existing vendors are protecting your firm's data properly.
8.1 Vendor Inventory
Where is the vendor inventory stored?
Who updates it and how often?
PRO TIP: The SEC has some specific requirements for vendor inventories. A few of them include:
What kind of MFA is used for cloud vendors
What kind of data is handled by these vendors
A risk rating of each vendor
A list of both current and terminated vendors, with contract and termination dates.
The SEC expects to see both current and terminated vendors. How is vendor inventory maintained?
8.2 Vendor Security Risk Assessment
How do you assess each vendor for cybersecurity risk and how often? Should be done at least annually.
How do you assess new vendors for cybersecurity risk? Should be done before any contracts are signed.
What documentation is required from each vendor for the security reviews?
While this is mentioned in section 5.7, above, most breaches these days are coming from misconfigured cloud systems (like Microsoft 365 and Google Workspace).
For this section of the RIA cybersecurity policy, we want to document the controls that are in place to protect both client funds and the firm's funds.
9.1 Client Account Access
How are client accounts protected, and what authentication is required?
Are clients using MFA? If not, should they be encouraged to?
Who is monitoring client account access for suspicious activity?
What processes are in place to identify suspicious funds transfers?
What is the funds transfer request process?
PRO TIP: We're already seeing RIA firms targeted by very sophisticated attacks. When discussing funds transfer, be sure to imagine a world in which attackers have significant time, access to your client's emails, and the ability to deepfake client voices.
PRO TIP #2: The SEC wants to see that you have a formal process for receiving and handling client complaints.
9.2 Firm Transaction Security
How are requests for payment verified? Remember, attackers may have access to your vendors' emails.
Is MFA required to initiate electronic payments like ACH or wire?
Have you set up your online banking to require multiple approvals for large, outbound payments?
Have you set up alerting notifications for large, outbound payments?
Have you set transaction limits for ACH and wire payments?
Have you talked to your bank about other fraud and security measures that they offer?
10. Physical Security
In this section of the RIA cybersecurity policy, we want to describe what keeps your firm physically safe, both in the office and at home.
How do you control who can access your offices?
How are visitors signed in, and are they escorted?
How are unmonitored contractors (like cleaning staff) vetted before being allowed unescorted access to your offices?
Is any monitoring in place, like cameras or alarms?
Should employees follow any security standards at home, like locking offices, locking computers, shredding paper, etc.?
How is paper shredding handled in the office?
11. Cybersecurity Documentation and Validation
In this section of the RIA cybersecurity policy, we want to define how we know that your cybersecurity is working, and how to handle exceptions.
11.1 Cybersecurity Program Documentation
Where is your cybersecurity policy stored in a way that all employees can access it?
Where is your business continuity policy stored in a way that it's available if your systems are down?
Where is your cybersecurity insurance policy stored in a way that hackers can't access it if they breach your systems?
Rather than the whole policy, do you have an employee-facing summary that is more directly related to their job? If so, where is it stored?
11.2 Exception Management
If an employee doesn't want to or can't follow your policy, how do they request an exception?
Who approves the exception, and where is it logged?
How often are exceptions reviewed?
PRO TIP: Exceptions are a tricky subject. Sadly, we often find that executives are the people who are most likely to want to skip complying with some parts of the Information Security policy. This is unfortunate because executives are often the highest-risk targets, both because they have a public profile and because of the information that they can access. They also can have direct, personal liability if found not to be exercising due diligence or due care. This is an area where we add value as part of our vCISO service.
11.3 Cybersecurity Assessments and Audits
Who is validating that your Information Security is effective, and how often? This is another part of our vCISO service.
Who is performing an annual security risk assessment and reviewing it with your leadership team?
How often are you performing penetration tests to see what an external attacker sees?
How often are you performing vulnerability scans to find missing security patches?
12. Acceptable Use
In this section of the RIA cybersecurity policy, we'll spell out what employees are allowed and not allowed to do.
Are employees allowed to use work computers for personal use?
What about the work Internet or Wi-Fi?
Are employees allowed to try to bypass the firm's security tools?
Do employees have any right to privacy on work systems?
Are employees allowed to download and install their own software?
Are there types of inappropriate behavior that employees should never engage in, such as pornography, gambling, off-color humor, etc.?
What are the consequences of violation?
13. Removable Storage Devices
This part of the RIA cybersecurity policy defines how the company manages removable storage devices like USB drives, thumb drives, CDs, DVDs, etc.
Are removable devices allowed? If so, what kinds?
Are employees permitted to use any removable devices, or only those provided by the company?
Are the removable drives protected by encryption?
Are employees urged to never plug untrusted removable devices into their computer?
If removable devices are not allowed, what technical measures are in place to block them?
14. Data Loss Prevention
In this section of the RIA cybersecurity policy, we'll define the methods we use to detect sensitive data leaving the company. This applies to both employees who may look to steal data or hackers who take over the accounts of your employees.
How will you be alerted if sensitive data is sent outside the company via email?
How will be alerted if sensitive data is sent outside the company through an external file share (e.g., Sharepoint, OneDrive, Google Drive)?
How will you be alerted if sensitive data leaves through chat (like Teams, Slack, etc.)?
Are you happy just to alerted when this happens, or do you want to block it when it happens?
What is the process you will use to investigate alerts about data leaving?
15. Application Security
PLEASE NOTE: This section of the RIA cybersecurity policy only applies to your company if you're developing software, paying vendors to develop custom software, or using Infrastructure as a Service (IaaS) vendors like Amazon Web Services, Google Cloud Platform, or Microsoft Azure.
If the application is Internet-facing, what penetration tests are performed to validate there are no security issues?
What tools are in place to scan for security issues in the source code that your developers are writing?
What tools are in place to scan for vulnerabilities in the servers and/or containers that your developers are using to deploy?
What tools are in place to scan for security configuration issues at your IaaS vendor (AWS, GCP, Azure)?
What processes are in place to confirm that a single developer can't check in malicious code?
What processes or segregation of duties are in place to confirm that a developer can't steal your data?
What logs are being gathered to spot security issues, who is monitoring them, and for what?
Appendices
RIA Cybersecurity Policies will often include references to more detailed documents that are relevant to the cybersecurity policy.
Here's a list of common appendices:
Asset/hardware inventory (updated at least annually)
