Navigating Cyber Threats: What RIAs Should Be Doing Now
Vigilant Insights
Introduction
Cybersecurity continues to be a growing area of focus for Registered Investment Advisers (“RIAs”), particularly as data breaches impact Firms of all sizes. Recent industry coverage highlights that breaches are not only leading to regulatory scrutiny and financial penalties, but also reputational damage and client concern.
In line with the Reg S-P amendments, Firms are expected to implement more robust safeguards, including formalized incident-response plans. While foundational controls such as strong passwords, multi-factor authentication, and system monitoring remain critical, Firms are increasingly expected to take a proactive and comprehensive approach incorporating employee training, vulnerability assessments, and simulated breach exercises.
Importantly, cybersecurity is no longer just an IT function, it is a firmwide responsibility that requires coordination across compliance, operations, and senior leadership.
Vigilant Director, Laura Arnott, CFA, CIPM, IACCP®, CTPRP, CRISC, recently provided her insights on Financial Advisor IQ which focused on how RIAs can protect themselves and clients in case of data breaches.
Laura Arnott Insights
Laura highlights that even Firms with strong cybersecurity frameworks are not immune to risk, particularly when human behavior is involved. She notes that while some Firms may fall short of best practices, even highly prepared organizations can experience breakdowns, often due to a single mistake such as an employee falling victim to phishing or “vishing” attacks. This reinforces the reality that the human element remains one of the most significant vulnerabilities in any cybersecurity program.
She emphasizes the importance of Firms having a clear understanding of the data they maintain (particularly sensitive client information) and where that data resides across systems. Foundational controls, such as secure passphrases and multi-factor authentication, are viewed as essential safeguards, but they must be complemented by a broader culture of awareness.
Laura underscores that employee training plays a critical role in strengthening a Firm’s defenses. Developing a “cyberaware” workforce, supported by ongoing education and formalized policies and procedures, becomes increasingly important as Firms grow and their operational environments become more complex.
In the event of a breach, Laura points to the challenges Firms face in determining how and when to communicate with clients. She notes that there is a balance between notifying individuals quickly when sensitive information may be at risk and ensuring that communications are accurate and informed. In some cases, this may require a phased approach, where updates are provided as more details about the incident become available.
Finally, Laura stresses that leadership sets the tone for cybersecurity across the organization. When senior management prioritizes and actively reinforces the importance of cybersecurity, it helps drive firmwide accountability. Conversely, a lack of emphasis at the top can lead to gaps in controls and awareness creating opportunities for bad actors to exploit vulnerabilities.
Vigilant’s Conclusion
Cybersecurity risk is no longer hypothetical; it is an operational reality that RIAs must actively manage. As regulatory expectations evolve under Reg S-P, firms should move beyond baseline controls and adopt a more structured, tested, and enterprise-wide approach to cyber risk management.
This includes:
- Establishing and testing incident-response plans (including tabletop exercises)
- Enhancing employee training and awareness programs
- Conducting regular assessments of systems, access controls, and data mapping
- Implementing governance frameworks that align compliance, IT, and leadership
Firms that take a proactive approach rather than reacting in real time during an incident will be better positioned to protect client information, meet regulatory obligations, and maintain operational resilience.
Vigilant works with firms to design, enhance, and test cybersecurity and compliance frameworks, helping ensure readiness not just for regulatory requirements, but for real-world scenarios.
On Thursday, May 7th, from 12:00 PM – 1:15 PM ET, Vigilant will be hosting a Reg S-P Webinar and registration is limited to 500 attendees. The registration link is below and if you need help with Cybersecurity risk management, contact us and schedule a call today.