Cybercrimes continue to target vulnerable companies globally, and advisers are now in the crosshairs. Recent interviews with cybersecurity professionals, and our team’s experience working with hundreds of advisers on cybersecurity-related subjects, have uncovered rampant attempted cyberattacks on RIAs and their vendors.

Advisers often maintain sensitive client data as part of their day-to-day operations – high-value financial data like account numbers, non-public personal information like Social Security Numbers and birthdates, and direct access to client assets. As a result, RIAs are in cybercriminals’ crosshairs as they deploy social engineering attacks such as credential compromise (e.g., passwords), multifactor authentication fatigue, and third-party vendor attacks, in an attempt to obtain that data.

Further, the SEC consistently lists cybersecurity as a top examination priority year after year.

How Can RIAs Protect Themselves?

The new wave of social engineering attacks against RIAs can leave firms wondering what they can do to safeguard client information.

1. Maintain a Cybersecurity Manual. RIAs should maintain written policies as part of a standalone Cybersecurity Manual – separate from the standard written Policies and Procedures Manual – outlining their cybersecurity practices and procedures, including a list of cybersecurity vendors and consultants, and how sensitive information is protected. Your compliance team at Stark & Stark can assist with drafting a customized written Cybersecurity Manual.
2. Maintain an Incident Response Program. The Regulation S-P Incident Response Program requirement became effective for large advisers ($1.5 billion or more in AUM) in December 2025, and becomes effective on June 3, 2026 for small advisers (under $1.5 billion in AUM). The written Incident Response Program must outline what types of events constitute cybersecurity incidents, how the incident response team should respond, relevant stakeholders, and client and regulator notification when applicable. Your compliance team at Stark & Stark can assist with the preparation of an Incident Response Program before June 3, 2026.
3. Perform Annual and Ongoing Employee Training. RIAs should train employees on the importance of identifying red flags of social engineering attacks such as suspicious links, questionable information requests, and unusual requests to withdraw assets.
4. Annually Review Third-Party Vendors. RIAs should conduct due diligence on all third-party vendors’ cybersecurity practices, including requesting SOC 2 reports and assessing vendors’ incident response capabilities.
5. Maintain Proper Cybersecurity Hygiene. In addition to regular employee training, RIAs should implement measures that require employees to change passwords on a regular basis, maintain a multifactor authentication regime, closely scrutinize all electronic communications from external sources, and ensure sensitive information shared electronically is sent using a secure communication method.
6. Engage a Third-Party Cybersecurity Consultant. RIAs don’t have to rely solely on internal cybersecurity regimes. Engaging a third-party cybersecurity consultant can help alleviate the burden of ongoing cybersecurity maintenance but does not eliminate the adviser’s obligations altogether.
7. Review Your Insurance Coverage. RIAs should, at the very least, maintain robust errors & omissions insurance coverage. However, many forget to check whether such coverage also covers cybersecurity incidents. RIAs should review their coverage with an insurance professional to determine whether their existing policy covers cybersecurity incidents or whether a separate, standalone cybersecurity insurance policy should be purchased.

The convergence of heightened threats from cybercriminals, the upcoming June 3, 2026 Incident Response Program deadline, and increased SEC scrutiny of cyber-related issues make cybersecurity an urgent priority for RIAs in 2026 and beyond.