2025 RIA Cyber and Data Security Checklist: 8 Key Cyber Priorities

Download PDF

Enter your email below and one of our cyber experts will contact you with more information.

We’re only a few months into the new administration, and (as expected) already the SEC has made it clear that cybersecurity is a top priority. On February 25, the SEC announced the creation of the Cyber and Emerging Technologies Unit (“CETU”), replacing the existing Crypto Assets and Cyber Unit. The CETU will focus on protecting investors from fintech and cyber-related misconduct that harms investors. This means that firms should focus on maintaining a secure network and prioritizing cybersecurity practices to protect client and investor information against inadvertent disclosure.

The checklist below outlines key components of a sound cyber and data security program, and may be a helpful resource as you finalize planning for 2025. This list also includes key components related to new requirements, such as Amended Regulation S-P.

  1. Ensure you have customized policies and procedures to address your firm’s business practices and regulatory requirements, including but not limited to:
    • Incident Response (under Amended Regulation S-P, covered institutions will be required to maintain an IRP designed to detect, respond, and recover from unauthorized access or use of client information);
    • Disaster Recovery and Business Continuity;
    • Cyber and Data Security;
    • Vendor Management (see “vendor management program” section below for full details);
    • Access Management;
    • Remote Office Oversight;
    • Customer Notification requirement (notice is required as soon as practicable and within 30-days for covered institutions under Amended Regulation S-P); and
    • Artificial Intelligence (AI) acceptable use policy.
  2. Plan for an annual cybersecurity risk assessment.
    • Consider using this as a roadmap for assessing gaps and identifying ways to mitigate risk.
  3. Establish a comprehensive testing program.
    • Evaluate whether the firm adheres to its key policies and procedures, including periodic review of security patching reports, firewall reports, and network monitoring reports.
    • Set dates for tabletop exercises to test the firm’s Incident Response Plan, and Disaster Recovery and Business Continuity Plans.
    • Hold Access Management reviews: Conduct an annual or semi-annual access review to evaluate user access rights and confirm access is limited to the scope necessary for the employee’s role.
    • Conduct dark web monitoring to check for exposed passwords.
    • Engage a third-party to conduct an annual internal and/or external penetration test.
    • Conduct periodic internal and external vulnerability scans on the firm’s network. Firms should take a risk-based approach in determining frequency. Typically, firms increase the frequency of scans as their firm grows, and the firm’s footprint and potential attack vectors increase.
  4. Maintain a vendor management program and ensure that it complies with Amended Regulation S-P.
    • Adopt policies and procedures regarding due diligence and monitoring of service providers.
    • Conduct recurring reviews on service providers.
    • Review key service providers list and determine if any changes are necessary.
      • Note: this is not only a best practice, but it will also now be required under Amended Regulation S-P. Additionally, service providers have a 72-hour notice requirement to covered institutions. For more details on Amended Regulation S-P, click here.
  5. Establish or maintain an employee training program to enable employees to spot the latest threats: Human action/inaction is the most common cause of breach, which is why training is critical.
    • Create a custom training program to educate employees on your policies and procedures. Be sure to include AI, Vendor Management, Regulation S-P, and Regulation S-ID.
    • Conduct periodic mock phishing training. We recommend deploying mock phishing exercises at least monthly.
  6. Implement Multi-Factor Authentication (MFA) on all accounts when possible
  7. Assess your firm’s cyber and data security needs.
    • Determine if you have internal expertise, or if external support is required to accomplish your goals.
    • If external support is needed, evaluate potential service providers and conduct due diligence.
  8. Ensure you have a process in place to monitor regulatory developments and updates.
    • To receive regulatory changes and updates directly to your inbox, sign up to receive our Flash Reports here.

Questions? We can help.

As types of technologies emerge, the nature of risk changes and what worked in the past may no longer be sufficient. Make sure that your cyber and data security programs not only meet regulatory requirements, but also industry best practices. If you have any questions, or if you’d like to speak with a regulatory expert, let us know.

Questions on Reg S-P Amendments? We can help.

Click here to learn more.

Meet Our Cyber Solutions Team

Amber Allen

Amber Allen

General Counsel and Executive Vice President; President, Fairview Cyber

Learn more about Cyber Solutions.

919.706.4100

Contact Us

Related Resources

Fairview

Fairview has been providing streamlined solutions to providers in the financial services industry since 2005. We are part of ViewPoint Partners, our employee-owned parent company for both Fairview and FilePoint, which provides regulatory reporting solutions for registered investment companies.

©2025 Fairview® Investment Services, LLC. All rights reserved.

1330 St. Mary’s St.
Suite 400
Raleigh, NC 27605

info@fairviewinvest.com
919.706.4100
FAX: 800.770.9925