Use a Virtual CISO from Adelia Risk to navigate complex regulations,
protect your clients, and protect your firm.
Adelia Risk is a long-term partner, not a one-time cybersecurity consultant.
We don’t deliver a report then vanish. We work with you over time to reach your security goals.
The SEC requires registered investment advisors to implement dozens of cybersecurity requirements.
These requirements are split across a number of publications, regulations, and risk alerts. Here are the main ones:
RIA Cybersecurity Requirements & SEC Regulations
The SEC requires registered investment advisors to implement dozens of cybersecurity requirements.
To get ready for an audit, you can download our 78-point audit checklist.
Working with Adelia Risk provides peace of mind. I sleep better at night knowing that our client data is being protected. Josh and his team are responsive, highly knowledgeable and helpful. They take complicated topics and make them understandable. We love working with Adelia Risk!
Parsons Capital Management
Like most investment advisors, I wanted to worry less and prepare for our next audit. Other vendors offered confusing “one size fits all” solutions. Since working with Adelia, we’ve built a policy that we understand and can achieve! We passed our most recent audit with flying colors.
Jackson Money Management
Before we hired Adelia, I thought our IT people (me) had the cybersecurity thing covered. ‘We’ were wrong. Josh and his team helped us find the gaps, close the gaps and document everything so we’re as buttoned up as we need to be for our clients and the SEC.
Physician Family Financial Advisors, Inc.
You may have heard chatter about some new, more stringent cybersecurity rules proposed in 2022 and 2023:
In a nutshell, these new regulations would have significantly raised the bar for wealth management firm cybersecurity. Most notably, RIAs would have been required to:
While these new rules and regulations were never finalized and have been abandoned (for now), it’s helpful to understand how they signify new requirements that we may see in the future.
FINRA (a non-profit that regulates brokers and exchanges) also has something to say about cybersecurity. FINRA’s cybersecurity requirements tend to be higher-level than the guidance issued by the SEC.
Of special note:
One important difference between FINRA and the SEC is that FINRA does have published requirements to report issues in the form of Rule 4530: Reporting Requirements. It’s important that you read and understand your requirements under this rule.
While most RIAs focus on the SEC and FINRA, there are also two other cybersecurity regulations that apply to wealth management firms:
Here’s the good news – there is a high degree of overlap between GLBA, the FTC Safeguards Rule, the FINRA requirements, and the SEC requirements. The work you do for the SEC requirements will mostly cover the other regulations.
The United States has a complicated patchwork of laws and regulations that govern cybersecurity. Each state has their own requirements, and some states (like California and New York) have the strictest laws in the country.
If you have clients in New York, you’re required to comply with the New York Department of Financial Services (DFS) Cybersecurity Regulation 23 NYCRR Part 500. Most people just call it “NYDFS” for short.
NYDFS is more stringent than both the SEC’s and FINRA’s requirements. Most notably, NYDFS requires that financial firms notify them within 72 hours of any incidents, and companies must formally certify compliance once a year.
If you have clients in California, then you may be required to comply with the California Consumer Privacy Act of 2018 (CCPA). CCPA is less a cybersecurity regulation and more a law that focuses on giving your clients more control over their personal information. However, there are some cybersecurity requirements, and any RIA with clients in California should be aware of the law.
Companies that don’t comply with NYDFS or CCPA risk both fines and embarrassment. NYDFS has imposed multiple multi-million dollar fines, and CCPA has also fined many companies for sizable amounts.
The bottom line is that these state regulations don’t necessarily apply to every company, so consult with a qualified attorney or compliance consultant to determine whether NYDFS or CCPA apply to you. If they do apply to you, though, you’ll need to do extra work to make sure you comply with the provisions they have, which are different from the SEC and FINRA guidance.
The SEC requires registered investment advisors to implement dozens of cybersecurity requirements.
Download our checklist to get a free 78-point checklist of what cybersecurity measures you need to show in an audit.
If you’ve tried to do some research around SEC or FINRA cybersecurity regulations, you’ve probably seen references to the “NIST Cybersecurity Framework” (or NIST CSF for short).
Even though NIST is part of the federal government, the NIST Cybersecurity Framework is not a law or a regulation, and there is no requirement for Registered Investment Advisors to follow it.
NIST, as a government entity, publishes standards that apply to lots of different industries (not just cybersecurity). They’re the keepers of the atomic clock that measures time, and the official definitions of “a pound” and “a kilogram.”
Even though NIST doesn’t provide a formal law or regulation, it’s still worth understanding the NIST CSF framework. NIST basically gives you a cheat sheet for how to best organize your cybersecurity efforts. If you can confidently say you comply with NIST, then you’ve already gone most of the way to comply with SEC, FINRA, GLBA, FTC, CCPA, NYDFS, etc.
The NIST CSF also provides a common-sense framework for thinking through your cybersecurity program:
Adopting the NIST CSF will certainly help with compliance, but (more importantly) it gives you a framework to improve your overall cybersecurity posture.
When we work with clients, we’ve already done the heavy lifting of interpreting the regulations above, and have put them into easy-to-understand, specific recommendations.
Here are just a few examples:
You can see a full list of cybersecurity articles on our Blog.
The bottom line is that we make it easy for wealth management firms to assess where they stand today, build an action plan, and then be your long-term partner in getting you to the point where you’re secure AND compliant.
The main cybersecurity regulations for RIAs include SEC requirements, FINRA regulations, the Gramm-Leach-Bliley Act (GLBA), and the FTC Safeguards Rule. Some state-specific regulations like NYDFS and CCPA may also apply depending on your client base.
Yes, notably the New York Department of Financial Services (NYDFS) Cybersecurity Regulation for firms with New York clients, and the California Consumer Privacy Act (CCPA) for those with California clients. Other states may have their own requirements, though they tend to be less stringent.
The SEC periodically updates its cybersecurity requirements. While there’s no set schedule, the SEC issues risk alerts and guidance as new threats emerge or industry practices evolve. It’s crucial for RIAs to stay informed about these updates.
Consequences can include regulatory fines, reputational damage, loss of client trust, and in severe cases, legal action. The SEC has the authority to impose significant penalties for non-compliance.
The NIST Cybersecurity Framework is a voluntary set of guidelines for managing cybersecurity risks. While not mandatory for RIAs, following the NIST CSF can help ensure comprehensive cybersecurity practices and aid in compliance with various regulations.
RIAs can prepare by regularly assessing their cybersecurity posture, maintaining comprehensive documentation of policies and procedures, conducting staff training, and potentially using a cybersecurity checklist designed for SEC compliance.
A Virtual CISO is an outsourced cybersecurity expert. They can help RIAs build a robust cybersecurity program, ensure regulatory compliance, and manage cybersecurity risks without a full-time hire.
Common threats include phishing attacks, ransomware, wire fraud, banking trojans, and data breaches. Social engineering tactics targeting employees and clients are also prevalent.
RIAs should conduct risk assessments at least annually. However, more frequent assessments may be necessary when significant changes occur in the business or technology environment.
Best practices include strong access controls, encrypting sensitive data, regularly updating software, conducting employee training, using secure communication channels, and having a robust incident response plan.
Effective training includes regular sessions on recognizing threats, safe internet practices, proper data handling, and incident procedures. We also recommend (and provide) simulated phishing tests.
An incident response plan should include steps for identifying, containing, and mitigating security incidents, roles and responsibilities of team members, communication protocols, and procedures for notifying affected parties and regulators.
While core security principles apply to both, cloud-based systems often require additional focus on vendor management, data encryption in transit and at rest, and configuring security settings that are your responsibility.
Key components include data backup and recovery procedures, alternate work locations, communication plans, critical business function identification, and regular testing and updates of the plan.
Rule 206(4)-9 is a proposed SEC rule that would require investment advisers to adopt and implement written cybersecurity policies and procedures, report significant cybersecurity incidents, and provide cybersecurity-related disclosures to clients. This rule is unlikely to be implemented in its current form.
Rule 204-6 is a proposed SEC rule that would amend existing recordkeeping, reporting, and disclosure rules. It would require advisers to maintain specific records related to their cybersecurity policies, procedures, risk assessments, and incidents. This rule is unlikely to be implemented in its current form.
RIAs commonly ask us for an “RIA cybersecurity policy template.” Since wealth management firms vary so
For businesses with 10 to 300 employees, especially those in regulated sectors like financial services or
One of the most common challenges we see for clients of our Virtual CISO service is
Schedule a free consultation. We’ll discuss your firm, your concerns, and what makes sense for you. No pressure, just straight answers.
