Call now for cybersecurity help: 888-646-1616
adelia_risk_logo_website

Registered Investment Advisor (RIA) Cybersecurity Services

Use a Virtual CISO from Adelia Risk to navigate complex regulations, protect your clients, and protect your firm.
Navigating SEC / FINRA compliance can be daunting, but our Wealth Management Virtual CISO service makes it simple.

Our experienced Cybersecurity team will:
Assess your current cybersecurity posture
Provide clear action plans to achieve SEC compliance
Offer ongoing guidance and support to maintain a robust security program
With our help, you'll gain peace of mind knowing you're protecting your clients' data and your firm's reputation. We form long-term partnerships with our clients, ensuring you stay ahead of evolving cybersecurity threats and regulations.

Discover how our Wealth Management Virtual CISO service can help you navigate the complex world of RIA cybersecurity with confidence. Learn more here: https://adeliarisk.com/wealth-management-virtual-ciso/

Here's what our clients think...

5-star-review
"Working with Adelia Risk provides peace of mind. I sleep better at night knowing that our client data is being protected. Josh and his team are responsive, highly knowledgeable and helpful. They take complicated topics and make them understandable. We love working with Adelia Risk!"

Stacey Sternberg
Parsons Capital Management

5-star-review
"Like most investment advisors, I wanted to worry less and prepare for our next audit. Other vendors offered confusing "one size fits all" solutions. Since working with Adelia, we've built a policy that we understand and can achieve! We passed our most recent audit with flying colors."

Charlie Jackson
Jackson Money Management

5-star-review
"Before we hired Adelia, I thought our IT people (me) had the cybersecurity thing covered. 'We' were wrong. Josh and his team helped us find the gaps, close the gaps and document everything so we're as buttoned up as we need to be for our clients and the SEC."

W. Ben Utley
Physician Family Financial Advisors, Inc.

The Cheat Sheet for RIA’s and Wealth Management Cybersecurity: 
Remaining In Compliance

RIA Cybersecurity Requirements & SEC Regulations

The SEC requires registered investment advisors to implement dozens of cybersecurity requirements.

These requirements are split across a number of publications, regulations, and risk alerts. Here are the main ones:
Regulation S-P: Safeguarding customer information - written policies and clear evidence that prove how you protect customer information.
Regulation S-ID: Identity Theft Prevention Program - written policies and clear evidence that you are carefully watching for criminals taking over your clients’ identities.
OCIE’s 2015 Cybersecurity Examination Initiative - six clear cybersecurity requirements that cover responding to incidents, evaluating vendors, and a lot more.
A handful of Risk Alerts from the SEC’s Division of Examinations (formerly the OCIE) that cover topics like ransomware, credential stuffing attacks, securely using texts and emails, securely using cloud services, and many more.

The Cheat Sheet for RIA’s and Wealth Management Cybersecurity: Remaining In Compliance

RIA Cybersecurity Requirements & SEC Regulations

The SEC requires registered investment advisors to implement dozens of cybersecurity requirements. To get ready for an audit, you can download our 78-point audit checklist here.

What about new and future RIA Cybersecurity Requirements?

You may have heard chatter about some new, more stringent cybersecurity rules proposed in 2022 and 2023:
SEC Rule 206(4)-9 under the Advisers Act
Rule 38A-2 under the Investment Company Act
Rule 204-6
In a nutshell, these new regulations would have significantly raised the bar for wealth management firm cybersecurity. Most notably, RIAs would have been required to:
Notify the SEC of any cybersecurity incidents within 48 hours,
disclose any cybersecurity incidents in Form ADV-C, which would be given to clients and published publicly, and
Much much more. These new standards would have moved RIAs more towards the cybersecurity requirements of banks and other financial institutions.
While these new rules and regulations were never finalized and have been abandoned (for now), it’s helpful to understand how they signify new requirements that we may see in the future.

FINRA Cybersecurity Regulations

FINRA (a non-profit that regulates brokers and exchanges) also has something to say about cybersecurity. FINRA’s cybersecurity requirements tend to be higher-level than the guidance issued by the SEC. 

Of special note:
FINRA Rule 3110: Supervisory Requirements and Rule 3120: Supervisory Control System require member firms to establish and maintain a system of supervisory control policies and procedures that test and verify supervisory procedures which include cybersecurity measures to protect customer records and information.
FINRA’s Small Firm Cybersecurity Checklist is a handy tool for doing a self-assessment, and has a high degree of overlap with the SEC’s requirements.
One important difference between FINRA and the SEC is that FINRA does have published requirements to report issues in the form of Rule 4530: Reporting Requirements. It’s important that you read and understand your requirements under this rule.

Other Cybersecurity Regulations: Federal

While most RIAs focus on the SEC and FINRA, there are also two other cybersecurity regulations that apply to wealth management firms:
The Gramm-Leach-Bliley Act (GLBA) - since 1999, this has been the law of the land for any “financial institutions.”
The FTC Safeguards Rule - adopted in 2003 and revised in 2021, this is an extension of GLBA.
Here’s the good news – there is a high degree of overlap between GLBA, the FTC Safeguards Rule, the FINRA requirements, and the SEC requirements. The work you do for the SEC requirements will mostly cover the other regulations. 

Other Cybersecurity Regulations: State

The United States has a complicated patchwork of laws and regulations that govern cybersecurity. Each state has their own requirements, and some states (like California and New York) have the strictest laws in the country.

New York Specific Requirements

If you have clients in New York, you’re required to comply with the New York Department of Financial Services (DFS) Cybersecurity Regulation 23 NYCRR Part 500. Most people just call it “NYDFS” for short.

NYDFS is more stringent than both the SEC’s and FINRA’s requirements. Most notably, NYDFS requires that financial firms notify them within 72 hours of any incidents, and companies must formally certify compliance once a year.

California Specific Requirements

If you have clients in California, then you may be required to comply with the California Consumer Privacy Act of 2018 (CCPA). CCPA is less a cybersecurity regulation and more a law that focuses on giving your clients more control over their personal information. However, there are some cybersecurity requirements, and any RIA with clients in California should be aware of the law.

Fines and Penalties

Companies that don’t comply with NYDFS or CCPA risk both fines and embarrassment. NYDFS has imposed multiple multi-million dollar fines, and CCPA has also fined many companies for sizable amounts.

The bottom line is that these state regulations don’t necessarily apply to every company, so consult with a qualified attorney or compliance consultant to determine whether NYDFS or CCPA apply to you. If they do apply to you, though, you’ll need to do extra work to make sure you comply with the provisions they have, which are different from the SEC and FINRA guidance.

Get the 78-Point Cybersecurity Checklist

The SEC requires registered investment advisors to implement dozens of cybersecurity requirements.

Download our checklist to get a free 78-point checklist of what cybersecurity measures you need to show in an audit.
Get the Checklist
Image of hands holding the Cybersecurity Checklist for Wealth Management Firms on an iPad

What about the NIST Cybersecurity Framework?

If you’ve tried to do some research around SEC or FINRA cybersecurity regulations, you’ve probably seen references to the “NIST Cybersecurity Framework” (or NIST CSF for short).

Even though NIST is part of the federal government, the NIST Cybersecurity Framework is not a law or a regulation, and there is no requirement for Registered Investment Advisors to follow it.

NIST, as a government entity, publishes standards that apply to lots of different industries (not just cybersecurity). They’re the keepers of the atomic clock that measures time, and the official definitions of “a pound” and “a kilogram.”

Even though NIST doesn’t provide a formal law or regulation, it’s still worth understanding the NIST CSF framework. NIST basically gives you a cheat sheet for how to best organize your cybersecurity efforts. If you can confidently say you comply with NIST, then you’ve already gone most of the way to comply with SEC, FINRA, GLBA, FTC, CCPA, NYDFS, etc.

The NIST CSF also provides a common-sense framework for thinking through your cybersecurity program:
Identify: Know what you have that needs to be protected
Protect: Put measures in place to protect your systems, people, data, and money
Detect: Monitor for unusual or malicious attacks
Respond: Have a formal process to respond to suspected or confirmed attacks
Recover: Have a formal process to get back to normal after an attack
Govern: Put daily, weekly, monthly, and annual processes in place so you manage it as a core function of your business. (BTW, this is exactly what we do as part of our Wealth Management Virtual CISO service).
Adopting the NIST CSF will certainly help with compliance, but (more importantly) it gives you a framework to improve your overall cybersecurity posture.

Making sense of the alphabet soup

When we work with clients, we’ve already done the heavy lifting of interpreting the regulations above, and have put them into easy-to-understand, specific recommendations.

Here are just a few examples:
All of the regulations mentioned above require you to have a formal plan in place to respond to incidents. We’ve written articles like “SEC Cybersecurity Guidance: Incident Response” and provide templates like our free Incident Response policy template.
The SEC is particularly concerned about managing texts and emails, so we provide our analysis of the SEC guidance on emails and texts.
Our two-part article on Business Continuity Planning and Disaster Recovery is focused on putting a program in place that will satisfy all of these regulations.
You can see a full list of cybersecurity articles on our Blog.

The bottom line is that we make it easy for wealth management firms to assess where they stand today, build an action plan, and then be your long-term partner in getting you to the point where you’re secure AND compliant.

Click here to learn more about our Wealth Management Virtual CISO service.

Get Cybersecurity Help for your Wealth Management Firm

We help wealth management firms of all sizes to be safe against hackers, protect clients and employees, and comply with the SEC regulations.  

If you'd like to learn more about how we help other RIAs, click here to learn more about our vCISO for Wealth Management Cybersecurity service
Learn More

Wealth Management Cyber Resources

Want to learn more about who we are, what we know, and maybe pick up some tips along the way?  Check out these helpful articles.  

RIA Cybersecurity Policy Checklist

MDM Cybersecurity: Protecting Your Mobile Workforce

8 Cybersecurity Contract Clauses for Small Contractors

SEC Books & Records: Retention Requirements for Investment Advisers

RIA Cyberattacks: Top 6 that could ruin your firm

Ransomware Playbook: 31 Critical Questions to Build Your Own

The Best Ways to Fight Banking Trojans

SEC Cybersecurity Guidance: Wire Fraud

SEC Cybersecurity Guidance: Phishing

SEC Cybersecurity Guidance: Emails and Texting

SEC Cybersecurity Guidance: Data Loss Prevention

SEC Cybersecurity Guidance: Incident Response

SEC Cybersecurity Guidance: Client Cybersecurity

SEC Cybersecurity Guidance: Business Continuity Planning (Pt. 2)

SEC Cybersecurity Guidance: Business Continuity Planning (Pt.1)

Frequently asked questions

What are the main cybersecurity regulations that apply to RIAs?

The main cybersecurity regulations for RIAs include SEC requirements, FINRA regulations, the Gramm-Leach-Bliley Act (GLBA), and the FTC Safeguards Rule. Some state-specific regulations like NYDFS and CCPA may also apply depending on your client base.

Are there any state-specific cybersecurity regulations that RIAs need to be aware of?

Yes, notably the New York Department of Financial Services (NYDFS) Cybersecurity Regulation for firms with New York clients, and the California Consumer Privacy Act (CCPA) for those with California clients. Other states may have their own requirements, though they tend to be less stringent.

How often does the SEC update its cybersecurity requirements for RIAs?

The SEC periodically updates its cybersecurity requirements. While there's no set schedule, the SEC issues risk alerts and guidance as new threats emerge or industry practices evolve. It's crucial for RIAs to stay informed about these updates.

What are the potential consequences of non-compliance with SEC cybersecurity regulations?

Consequences can include regulatory fines, reputational damage, loss of client trust, and in severe cases, legal action. The SEC has the authority to impose significant penalties for non-compliance.

What is the NIST Cybersecurity Framework, and should RIAs follow it?

The NIST Cybersecurity Framework is a voluntary set of guidelines for managing cybersecurity risks. While not mandatory for RIAs, following the NIST CSF can help ensure comprehensive cybersecurity practices and aid in compliance with various regulations.

How can RIAs prepare for an SEC cybersecurity audit?

RIAs can prepare by regularly assessing their cybersecurity posture, maintaining comprehensive documentation of policies and procedures, conducting staff training, and potentially using a cybersecurity checklist designed for SEC compliance.

What is a Virtual CISO (vCISO), and how can it benefit an RIA firm?

A Virtual CISO is an outsourced cybersecurity expert. They can help RIAs build a robust cybersecurity program, ensure regulatory compliance, and manage cybersecurity risks without a full-time hire.

What are the most common cyber threats facing RIA firms?

Common threats include phishing attacks, ransomware, wire fraud, banking trojans, and data breaches. Social engineering tactics targeting employees and clients are also prevalent.

How often should RIAs conduct cybersecurity risk assessments?

RIAs should conduct risk assessments at least annually. However, more frequent assessments may be necessary when significant changes occur in the business or technology environment.

What are the best practices for protecting client data in an RIA firm?

Best practices include strong access controls, encrypting sensitive data, regularly updating software, conducting employee training, using secure communication channels, and having a robust incident response plan.

How can RIAs effectively train employees on cybersecurity awareness?

Effective training includes regular sessions on recognizing threats, safe internet practices, proper data handling, and incident procedures. We also recommend (and provide) simulated phishing tests.

What should be included in an RIA's incident response plan?

An incident response plan should include steps for identifying, containing, and mitigating security incidents, roles and responsibilities of team members, communication protocols, and procedures for notifying affected parties and regulators.

How do cybersecurity requirements differ for cloud-based vs. on-premises systems?

While core security principles apply to both, cloud-based systems often require additional focus on vendor management, data encryption in transit and at rest, and configuring security settings that are your responsibility.

What are the key components of a robust business continuity plan for RIAs?

Key components include data backup and recovery procedures, alternate work locations, communication plans, critical business function identification, and regular testing and updates of the plan.

What is Rule 206(4)-9 under the Advisers Act?

Rule 206(4)-9 is a proposed SEC rule that would require investment advisers to adopt and implement written cybersecurity policies and procedures, report significant cybersecurity incidents, and provide cybersecurity-related disclosures to clients.  This rule is unlikely to be implemented in its current form.

What is Rule 204-6?

Rule 204-6 is a proposed SEC rule that would amend existing recordkeeping, reporting, and disclosure rules. It would require advisers to maintain specific records related to their cybersecurity policies, procedures, risk assessments, and incidents. This rule is unlikely to be implemented in its current form.

Do you think we might be a good match?

Copyright 2025 Adelia Associates, LLC | All Rights Reserved