In November 2025, the SEC settled charges against a registered advisory firm for $325,000 after attackers took over email accounts across its branch offices and accessed the records of thousands of clients (SEC order). The breach was bad. The bigger problem, in the SEC’s view, was that for years the firm had no written information security program governing those offices.
At Adelia Risk, we build RIA cybersecurity programs for registered investment advisers, and a thin set of written policies is the gap we run into most.
The question we hear most often is, “What should an RIA cybersecurity policy actually needs to contain?” The honest answer is that one policy isn’t enough. A defensible program is built on four written documents, and SEC examiners now expect to see them in operation, not just sitting in a shared drive.
This guide walks through the RIA cybersecurity policy checklist we use with clients. You’ll get the four policies every firm should have, what each one needs to include, and the reasons behind each item. You can download the full checklist below and work through it with your Chief Compliance Officer (CCO).
The Short Answer: What an RIA Cybersecurity Policy Should Include
An RIA cybersecurity policy should include an Information Security Policy, an Acceptable Use Policy, an Incident Response Plan, and a Business Continuity and Disaster Recovery Policy.
Together, those policies explain who owns the cybersecurity program, how the firm protects client information, how employees are allowed to use firm systems, how vendors are reviewed, how wire-transfer risk is controlled, how incidents are handled, and how the firm keeps operating during a disruption.
Your RIA cybersecurity policy set should cover:
- Security program ownership and oversight
- Annual cybersecurity risk assessments
- Multifactor authentication and password standards
- Approved storage locations for sensitive client data
- Email, phishing, and safe-communication rules
- Wire-transfer and online-banking fraud controls
- Vendor risk assessment and breach-notification requirements
- Incident response roles, evidence preservation, and client notification
- Business continuity, backup, and disaster recovery testing
- Cybersecurity documentation and recordkeeping
If you need the RIA cybersecurity policy checklist right now, you can grab it from the form above. If you’re ready to get into the details, keep reading.
Why This Is a Checklist and Not a Generic RIA Cybersecurity Policy Template
A lot of advisers start by looking for an RIA cybersecurity policy template. That makes sense. A template makes for an easy hand-off to a compliance team. The problem is that a generic cybersecurity policy template can create a false sense of completion.
Your firm’s cybersecurity policy should reflect how your firm works.
That is why we decided to go with an RIA cybersecurity policy checklist instead of a fill-in-the-blank policy document. The checklist helps you identify what your written policies need to address before you try to turn them into final language.
Used correctly, a checklist is a better starting point. It helps everyone see what is already in place, what is partially covered, and what is missing. The checklist gives you the structure.
What Regulation S-P Now Requires of Advisers
For years, RIA compliance requirements around cybersecurity were spread across risk alerts and general guidance. That changed with the 2024 amendments to Regulation S-P (the Reg S-P amendments), the SEC rule often called the Safeguards Rule.
The amended rule set hard compliance deadlines, and both have passed. Larger advisers (those with $1.5 billion or more in assets under management) had to comply by December 3, 2025, and smaller advisers by June 3, 2026. These are current obligations, not future ones.
Under the amended rule, an SEC-registered adviser now needs four things in writing:
- A program to detect and respond to unauthorized access to customer information
- Notice to affected clients within 30 days of becoming aware of an incident
- Oversight of the service providers that touch client data
- Records of all of this are kept for five years
The SEC has flagged Regulation S-P and these SEC cybersecurity requirements in both its 2025 and 2026 examination priorities, so an SEC cybersecurity exam is a realistic reason to get this right now.
Two of the four RIA cybersecurity policies in this checklist, the Information Security Policy and the Incident Response Plan, map directly to what Regulation S-P requires. The other two round out the program and are what examiners expect to see.
The SEC has dozens of cybersecurity requirements for advisers spread across rules and alerts, and a clear set of policies is how you show you’ve addressed them.
The 48-Hour SEC Report That Doesn’t Exist
One point of confusion is worth clearing up. It’s something we still see it written into older incident response plans.
There is no requirement for an RIA to file a “Form ADV-C” or report a cyber incident to the SEC within 48 hours. That was part of a separate proposed SEC cybersecurity rule from 2022, and the SEC formally withdrew that proposal on June 12, 2025 (SEC withdrawal summary).
The current obligation is the 30-day notice to affected clients under Regulation S-P. If your plan still references a 48-hour SEC filing, that’s a sign it needs a refresh.
There’s also Regulation S-ID, the Identity Theft Red Flags Rule. Many advisers assume it doesn’t apply because they don’t hold custody. The SEC rejected that argument.
If your firm can direct transfers or payments from individual accounts, it likely needs a written identity theft prevention program, too. Most advisers should at least check whether it applies.
Start With the Information Security Policy
The Information Security Policy, sometimes called a Written Information Security Policy or WISP, is the master document. The other three policies sit under it. It sets who owns the program, how the firm assesses risk, and the firm-level controls.
If you are starting from a blank page, an information security policy template can give you the structure, but it still has to be tailored to how your firm actually handles client data.
The most useful item here is ownership. When “everyone” owns security, no one does, and that gap is what the SEC pointed to in recent enforcement.
Name a person to handle your RIA cybersecurity policy. For many of our clients, that’s the CCO paired with an outside virtual CISO who runs the program.
The annual risk assessment is the engine. It’s a recurring exam finding when it’s missing, and without it, you don’t know your real exposure. The assessment should feed your RIA cybersecurity policy updates.
Vendors
So, what about your vendors? Your written policies now require service providers to tell you about a breach as soon as possible and no later than 72 hours after they learn of it. You can hand off the work of notifying clients by contract, but the responsibility stays with your firm.
In our experience, this is where firms have the least documentation and the most exposure, since a fund administrator or IT provider often holds more client data than the adviser does.
Wire Fraud
Fraudulent wires are among the most expensive losses an advisory firm can take, and a two-person rule on transfers is the control that addresses it directly. One person starts the transfer, a different person approves it, and out-of-pattern transfers get a second look before they go out.
We see the gap in the same place repeatedly. One adviser’s bank ran a callback on any new wire destination, which sounds safe, but inside the firm, a single person could still start that wire, and the bank portal didn’t alert on large transfers.
Adding a second person inside the firm to check the approval plus an out-of-band confirmation on every new payee addresses the gap a bank callback alone leaves open.
The Acceptable Use Policy Is Focused On Your Staff
The Information Security Policy sets the strategy. The Acceptable Use Policy (AUP) is the staff-facing rule book. It tells everyone with access to firm data how they may use firm technology and how they must handle client information. This is the policy your advisers and operations team actually read and sign.
Phishing and wire-transfer controls are worth getting right before almost anything else. Business email compromise drove $2.77 billion in reported losses in 2024, and phishing was the most-reported crime type to the FBI that year (FBI IC3 2024 Annual Report).
Much of the fraud that hits advisory firms starts with a convincing email, so the rules that govern how your team handles email and verifies requests are things you must take seriously.
Multifactor authentication, which means a second step beyond a password, is the highest-impact item on this list. The 2018 SEC case against Voya Financial Advisors turned in part on password-reset and session controls that were too easy for an impersonator to abuse. Requiring multifactor authentication on email and core systems makes the most common way much harder to use.
The generative AI item is newer, but it’s becoming a regular question in our client reviews. Staff pastes client data into chatbots without even thinking, unless a policy says otherwise. You don’t need to ban AI. But you do need to name the approved tools and state exactly what should never go into an unapproved one.
The Incident Response Plan and the 30-Day Clock
The Incident Response Plan (IRP) is your plan for the bad day. It defines what counts as an incident, who runs the response, and how you meet the notification obligations under Regulation S-P.
The 30-day clock is the part advisers most often underestimate. Once your firm becomes aware that sensitive client information was, or is reasonably likely to have been, accessed without authorization, you have 30 days to notify each affected individual in writing, unless you reasonably determine harm is unlikely.
The plan should include the decision record behind that determination. An examiner will want to see how you reached it. Our incident response guidance for SEC-registered firms explains how that decision usually plays out.
Two details matter in the first hour and are easy to get wrong.
First, preserve the evidence before anyone rebuilds a system, or you lose the ability to understand what happened.
Second, route the early work through legal counsel so your investigation can stay under the attorney-client privilege. A plan that names breach counsel, your insurer, and a forensics partner ahead of time saves you from hunting for a lawyer’s number during the event.
State law adds more requirements. Several states require free credit monitoring after a breach involving Social Security numbers. For example, 24 months in Connecticut and 18 months in Massachusetts. Your plan should account for offering those services where they apply.
Examiners Expect Business Continuity
There’s no single SEC rule that mandates a business continuity plan in the way Regulation S-P mandates safeguards. The Division of Examinations still expects to see one, and a tested one at that. The Business Continuity and Disaster Recovery (BCDR) Policy is your plan for keeping the firm running, or restoring it, after a disruption.
The most common gap we find is a plan that has never been tested. An untested plan will fail at the moment you need it, and examiners ask directly whether you’ve run a test.
Test once a year against your recovery time objectives, meaning how quickly each system has to come back, turns a document into something you can rely on. Our SEC business continuity guidance covers what a workable test looks like for a small firm.
The custodian point is specific to advisers and worth stating in the policy. For most RIAs, client assets are with third-party custodians, each with its own continuity plan. An examiner wants to see that you’ve accounted for how clients reach their assets if your office goes dark.
One more piece ties back to record keeping. The amended Regulation S-P expects five years of records, and the right books-and-records rule for an RIA is Advisers Act Rule 204-2, not the broker-dealer rule. If you’d like the details, we cover SEC records retention for advisers separately.
Putting Your RIA Cybersecurity Policy in Order
You don’t have to build all four policies at once. Here’s how we usually sequence the work for a firm starting from a thin set of documents.
Start this week:
Confirm multifactor authentication is on for email and every core system.
Name the person who owns the security program, in writing.
Put a two-person rule on wire and ACH transfers.
Do this month:
Draft or refresh the Information Security Policy as your master document.
Pull your service providers into a simple risk-tiered list and check your contracts for breach-notification terms.
Remove any reference to a 48-hour SEC filing from your incident response plan and build in the 30-day client notice instead.
Do this quarter:
Run a documented risk assessment and let it drive your policy updates.
Test your business continuity plan against your recovery time objectives.
Review your cyber insurance limits against your real exposure.
When to Bring in Help
Plenty of firms can draft these policies in-house, especially with a capable CCO and a strong IT partner. Where it gets harder is the ongoing work beyond the documents:
- Running the annual risk assessment
- Producing the evidence an examiner asks for
- Managing vendor reviews
- Keeping all four policies current as the rules change
That’s the work behind the checklist. The checklist tells you what a strong RIA cybersecurity policy set looks like. Building it, operating it, and proving it works is where our RIA cybersecurity services come in.
Adelia Risk provides RIA cybersecurity services and cybersecurity for wealth management firms across the United States, including SEC-registered investment advisers of every size. We build the program, manage the tools, and get you examination-ready. If you’d like a second set of eyes on your policies, your controls, or your Regulation S-P readiness, we’re happy to show you how we can help.
