Use a Virtual CISO from Adelia Risk to navigate complex regulations,
protect your clients, and protect your firm.
Adelia Risk is a long-term partner, not a one-time cybersecurity consultant.
We don’t deliver a report then vanish. We work with you over time to reach your security goals.
The SEC requires registered investment advisors to implement dozens of cybersecurity requirements.
These requirements are split across a number of publications, regulations, and risk alerts. Here are the main ones:
We’ve relied on Adelia Risk for our cybersecurity for years, and the difference they’ve made is hard to overstate. Before Adelia, we had gaps we didn’t even know about. Their initial assessment was a real eye-opener, and the prioritized project plan they built gave us a clear path from where we were to where we needed to be.
What sets Adelia apart is the breadth of what they actually do. They run our phishing tests and security training, audit our Google Workspace configuration, review our third-party vendors, and keep our IT provider honest when things slip through the cracks. When they recommended a new email security tool, it proved itself quickly by catching a real threat and handling it exactly the way it should have been handled.
Our principal has always said cybersecurity is the one thing that could put us out of business. Having Adelia Risk in our corner means we’re more prepared than we’ve ever been. I’d recommend their RIA cybersecurity services without hesitation.
Damon H., RIA Cybersecurity Client
Wealth Management Firm, Connecticut
Adelia Risk has been our cybersecurity partner for nearly eight years, and the relationship has only gotten stronger. When they first came in, their reports surfaced vulnerabilities that had gone unaddressed for years. We took those findings seriously enough to completely change how we run our IT reviews. That honesty is exactly what we needed, and it set the tone for a partnership built on trust and accountability.
What sets Adelia apart is how involved they stay. They don’t hand us a checklist and disappear. They keep our IT provider honest, make sure nothing falls through the cracks, and guide us through decisions in plain English. When they recommended new security tools, those tools delivered. When they ran an AI security presentation for our staff, the feedback was overwhelmingly positive. They go well beyond what you’d expect.
We’re more prepared for anything that comes our way from both a compliance and security perspective, and that’s a direct result of working with Adelia Risk. I’d recommend their RIA cybersecurity services to any firm that wants a real partner, not just another vendor.
Stacey S., RIA Cybersecurity Client
Wealth Management Firm, Rhode Island
You may have heard chatter about some new, more stringent cybersecurity rules proposed in 2022 and 2023:
In a nutshell, these new regulations would have significantly raised the bar for wealth management firm cybersecurity. Most notably, RIAs would have been required to:
While these new rules and regulations were never finalized and have been abandoned (for now), it’s helpful to understand how they signify new requirements that we may see in the future.
FINRA (a non-profit that regulates brokers and exchanges) also has something to say about cybersecurity. FINRA’s cybersecurity requirements tend to be higher-level than the guidance issued by the SEC.
Of special note:
One important difference between FINRA and the SEC is that FINRA does have published requirements to report issues in the form of Rule 4530: Reporting Requirements. It’s important that you read and understand your requirements under this rule.
While most RIAs focus on the SEC and FINRA, there are also two other cybersecurity regulations that apply to wealth management firms:
Here’s the good news – there is a high degree of overlap between GLBA, the FTC Safeguards Rule, the FINRA requirements, and the SEC requirements. The work you do for the SEC requirements will mostly cover the other regulations.
The United States has a complicated patchwork of laws and regulations that govern cybersecurity. Each state has their own requirements, and some states (like California and New York) have the strictest laws in the country.
If you have clients in New York, you’re required to comply with the New York Department of Financial Services (DFS) Cybersecurity Regulation 23 NYCRR Part 500. Most people just call it “NYDFS” for short.
NYDFS is more stringent than both the SEC’s and FINRA’s requirements. Most notably, NYDFS requires that financial firms notify them within 72 hours of any incidents, and companies must formally certify compliance once a year.
If you have clients in California, then you may be required to comply with the California Consumer Privacy Act of 2018 (CCPA). CCPA is less a cybersecurity regulation and more a law that focuses on giving your clients more control over their personal information. However, there are some cybersecurity requirements, and any RIA with clients in California should be aware of the law.
Companies that don’t comply with NYDFS or CCPA risk both fines and embarrassment. NYDFS has imposed multiple multi-million dollar fines, and CCPA has also fined many companies for sizable amounts.
The bottom line is that these state regulations don’t necessarily apply to every company, so consult with a qualified attorney or compliance consultant to determine whether NYDFS or CCPA apply to you. If they do apply to you, though, you’ll need to do extra work to make sure you comply with the provisions they have, which are different from the SEC and FINRA guidance.
All of the SEC, FINRA, and federal requirements above, distilled into one checklist. Print it, share it with your compliance consultant, or use it to see where your firm stands today.
Free. No sales call required.
If you’ve tried to do some research around SEC or FINRA cybersecurity regulations, you’ve probably seen references to the “NIST Cybersecurity Framework” (or NIST CSF for short).
Even though NIST is part of the federal government, the NIST Cybersecurity Framework is not a law or a regulation, and there is no requirement for Registered Investment Advisors to follow it.
NIST, as a government entity, publishes standards that apply to lots of different industries (not just cybersecurity). They’re the keepers of the atomic clock that measures time, and the official definitions of “a pound” and “a kilogram.”
Even though NIST doesn’t provide a formal law or regulation, it’s still worth understanding the NIST CSF framework. NIST basically gives you a cheat sheet for how to best organize your cybersecurity efforts. If you can confidently say you comply with NIST, then you’ve already gone most of the way to comply with SEC, FINRA, GLBA, FTC, CCPA, NYDFS, etc.
The NIST CSF also provides a common-sense framework for thinking through your cybersecurity program:
Adopting the NIST CSF will certainly help with compliance, but (more importantly) it gives you a framework to improve your overall cybersecurity posture.
When we work with clients, we’ve already done the heavy lifting of interpreting the regulations above, and have put them into easy-to-understand, specific recommendations.
Here are just a few examples:
You can see a full list of cybersecurity articles on our Blog.
The bottom line is that we make it easy for wealth management firms to assess where they stand today, build an action plan, and then be your long-term partner in getting you to the point where you’re secure AND compliant.
Adelia Risk builds cybersecurity programs that cover SEC, FINRA, GLBA, and state requirements. One program, one monthly fee, and we handle the alphabet soup so you don’t have to.
See Our RIA Cybersecurity ServicesThe main cybersecurity regulations for RIAs include SEC requirements, FINRA regulations, the Gramm-Leach-Bliley Act (GLBA), and the FTC Safeguards Rule. Some state-specific regulations like NYDFS and CCPA may also apply depending on your client base.
Yes, notably the New York Department of Financial Services (NYDFS) Cybersecurity Regulation for firms with New York clients, and the California Consumer Privacy Act (CCPA) for those with California clients. Other states may have their own requirements, though they tend to be less stringent.
The SEC periodically updates its cybersecurity requirements. While there’s no set schedule, the SEC issues risk alerts and guidance as new threats emerge or industry practices evolve. It’s crucial for RIAs to stay informed about these updates.
Consequences can include regulatory fines, reputational damage, loss of client trust, and in severe cases, legal action. The SEC has the authority to impose significant penalties for non-compliance.
The NIST Cybersecurity Framework is a voluntary set of guidelines for managing cybersecurity risks. While not mandatory for RIAs, following the NIST CSF can help ensure comprehensive cybersecurity practices and aid in compliance with various regulations.
RIAs can prepare by regularly assessing their cybersecurity posture, maintaining comprehensive documentation of policies and procedures, conducting staff training, and potentially using a cybersecurity checklist designed for SEC compliance.
A Virtual CISO is an outsourced cybersecurity expert. They can help RIAs build a robust cybersecurity program, ensure regulatory compliance, and manage cybersecurity risks without a full-time hire.
Common threats include phishing attacks, ransomware, wire fraud, banking trojans, and data breaches. Social engineering tactics targeting employees and clients are also prevalent.
RIAs should conduct risk assessments at least annually. However, more frequent assessments may be necessary when significant changes occur in the business or technology environment.
Best practices include strong access controls, encrypting sensitive data, regularly updating software, conducting employee training, using secure communication channels, and having a robust incident response plan.
Effective training includes regular sessions on recognizing threats, safe internet practices, proper data handling, and incident procedures. We also recommend (and provide) simulated phishing tests.
An incident response plan should include steps for identifying, containing, and mitigating security incidents, roles and responsibilities of team members, communication protocols, and procedures for notifying affected parties and regulators.
While core security principles apply to both, cloud-based systems often require additional focus on vendor management, data encryption in transit and at rest, and configuring security settings that are your responsibility.
Key components include data backup and recovery procedures, alternate work locations, communication plans, critical business function identification, and regular testing and updates of the plan.
Rule 206(4)-9 is a proposed SEC rule that would require investment advisers to adopt and implement written cybersecurity policies and procedures, report significant cybersecurity incidents, and provide cybersecurity-related disclosures to clients. This rule is unlikely to be implemented in its current form.
Rule 204-6 is a proposed SEC rule that would amend existing recordkeeping, reporting, and disclosure rules. It would require advisers to maintain specific records related to their cybersecurity policies, procedures, risk assessments, and incidents. This rule is unlikely to be implemented in its current form.
In September 2025, researchers linked a Qilin ransomware campaign to a likely upstream service-provider compromise that
In 2024, Elkin Valley Baptist Church lost $793,000 when criminals impersonated their construction contractor and sent
In August 2024, Fidelity Investments disclosed that attackers accessed 77,099 customer accounts by exploiting the new
You’ve just read through a lot of regulations. We help RIAs make sense of all of it and build a security program that actually satisfies examiners. Schedule a free consultation. We’ll talk about your firm, your concerns, and whether we’re a good fit. No pressure.
