Cybersecurity for RIAs: Navigating a Shifting Landscape Unaffected by Election Outcomes

Cybersecurity is one of the few regulatory areas that enjoys bipartisan support, which highlights just how essential it is for registered investment advisors (RIAs) to keep a strong cybersecurity and technology foundation. With regulations tightening and cyber threats constantly evolving, RIAs are expected to take client data protection seriously. Staying ahead with a solid cybersecurity strategy isn’t just about checking the compliance box—it’s about building trust and securing the future of your business in a digital-first world.

Cybersecurity as a Bipartisan Priority

In a recent CFO DIVE article “SEC cyber rules could survive regardless of election outcome, experts say,” John Pearce, principal, cyber risk, risk advisory services for consulting firm Grant Thornton, said, “I think we generally find that cyber is a rather bipartisan kind of focus area.”

While federal leadership might influence the enforcement vigor or SEC leadership composition, cybersecurity policies are expected to persist. This consistency allows RIAs to continue investing in cybersecurity knowing that regulatory expectations won’t drastically shift after the election.

Key Cybersecurity Regulations RIAs Should Watch

The SEC’s updated cybersecurity rules, finalized in the past year, mandate that public companies—and by extension many RIAs—report any material cybersecurity incidents promptly within four days of determining materiality. This rule emphasizes transparency and communication with investors, providing a clearer picture of potential risks associated with their investments.

These developments mirror broader international efforts to standardize and strengthen cybersecurity expectations. With both U.S. and global regulators cracking down on cybersecurity, RIAs must ensure their practices align with increasingly stringent standards or risk regulatory action.

The Evolving Role of CFOs in Cybersecurity and Compliance

Given the SEC’s cybersecurity stance, RIAs must consider both IT and finance collaboration to address evolving requirements effectively. CFOs play a pivotal role in this process, as they are often responsible for ensuring the firm’s compliance posture aligns with SEC mandates. Fairtlough noted that while the recent SEC rules are not new per se, they clarify existing responsibilities, which include accurate and timely disclosure of cybersecurity risks. This approach to cybersecurity makes it clear that financial transparency goes hand-in-hand with data protection.

KPMG principal Jonathan Fairtlough said, “This sea change, it’s slowly seeping in, but it’s becoming more and more and more of a requirement where we’re seeing boards and executives, [the] C-suite really trying to grapple with, what are the methods they can use to understand cyber risk and to be able to quantify it, and to be able to measure it, without having to understand each and every piece of the technology?”  

Actionable Takeaways for RIAs: Building a Strong Cybersecurity Posture

With regulatory pressure and evolving cybersecurity threats on the rise, here are three actions RIAs can take to build a strong cybersecurity framework and ensure compliance.

1. Enhance Cyber and Finance Collaboration

Why: Collaboration between finance and IT departments is critical. CFOs need to work closely with IT leaders to understand cybersecurity vulnerabilities, reporting obligations, and risk disclosure requirements.

Action: Establish regular cross-functional meetings between IT, finance, and compliance teams. This allows for ongoing communication, especially around emerging threats, to proactively address regulatory updates and SEC cybersecurity rules.

2. Develop a Rapid Incident Response Framework

Why: The SEC’s disclosure rule requires RIAs to report material cybersecurity incidents within a tight timeframe, making it essential to have a rapid response and reporting system in place.

Action: Set up a standardized incident response plan that includes clear steps for assessing materiality, determining when to disclose incidents, and alerting the necessary regulatory bodies. Test this plan regularly to identify any potential delays in the response process.

3. Invest in Compliance-Focused Cybersecurity Tools

Why: RIAs operate in an increasingly complex regulatory environment, and cybersecurity tools that prioritize compliance can simplify meeting SEC requirements and improve transparency.

Action: Choose managed IT services that integrate compliance tracking, threat detection, and response capabilities. The ideal managed IT vendor should have a solid understanding of the RIA industry’s specific compliance needs, and help firms monitor and report on cybersecurity incidents effectively while minimizing compliance risks.

Proactive Cybersecurity for RIAs is Here to Stay

As RIAs navigate the complexities of cybersecurity regulation, building a proactive, compliance-oriented approach will help them stay ahead of potential threats and regulatory demands. With the SEC’s new rules likely to remain regardless of political changes, RIAs need a cybersecurity strategy that not only protects client assets but also upholds regulatory expectations for transparency and rapid disclosure. By investing in managed IT solutions, fostering strong interdepartmental collaboration, and implementing a clear incident response plan, RIAs can confidently navigate the evolving cybersecurity landscape.

Author:

Steven Ryder, Chief Strategy Officer
Steven has over 20 years of experience in enterprise technology and cybersecurity, specializing in helping financial advisors implement secure and efficient technology solutions. He is passionate about serving others, dedicating significant time and resources to helping communities in need in El Salvador and Ecuador. Steven combines his expertise in technology with a commitment to making a positive impact both professionally and personally.