Are You Ready? 5 Cybersecurity Actions to Take Right Now

Introduction

Each October, the Department of Homeland Security and CISA lead Cybersecurity Awareness Month, reminding everyone to “Secure Our World.”

For investment advisers, it’s a great time to check your firm’s controls, train your team, and update your policies before year-end reviews or exams.

Cyber incidents remain one of the biggest operational risks for RIAs. Regulators expect firms to keep their security programs documented, tested, and up to date. Here are five simple steps to strengthen your defenses this month.

1. Turn On Multifactor Authentication (MFA)

Require MFA on every system that handles client data — email, CRM, portfolio management, and custodian portals.

Check admin accounts every quarter and remove old logins right away. MFA is still the best protection against phishing and unauthorized access.

2. Tighten Email Security and Verification

Email continues to be the main way data is breached.

Do this now:

  • Add phishing filters and impersonation protection to your email platform.
  • Turn on external sender banners so staff can see outside messages at a glance.
  • Confirm client requests by phone — use a number you already know, not one in the email.

Train your team to “stop and verify.” One click is all it takes to expose non-public personal information (NPI).

“There’s no patch for human error — but training comes close.”

3. Secure Devices and Backups

All work devices — firm-owned or approved personal — should:

  • Use strong passwords and auto-lock within five minutes.
  • Have encryption and remote-wipe enabled.
  • Install updates automatically.

Make sure critical systems (email, CRM, shared drives) are backed up daily. Test a restore at least once a quarter to prove you can recover quickly.

4. Keep an Incident Response Plan Ready

If a breach happens, you need a plan — not panic.

Your Incident Response Plan (IRP) should include:

  • Clear roles and responsibilities
  • A short incident log template
  • Escalation steps for legal, insurance, and regulatory contacts
  • A simple timeline for containment and communication

Run a 30-minute tabletop exercise this month to practice a mock email or ransomware event. Document who participates — that record counts as compliance evidence.

5. Review Vendors and Access Lists

Third-party vendors and old accounts can open the door to risk.

  • Update your vendor list for all systems holding client data.
  • Request each vendor’s SOC 2 report or other security proof.
  • Confirm breach notification terms in your contracts.
  • Remove inactive users and former employees from shared folders and apps.

Keeping a complete vendor file shows regulators you’re managing third-party risk — a key part of the Regulation S-P amendments.

6. Educate Clients — It’s Part of Fiduciary Duty

Let clients know how you protect their data and how they can protect themselves.

Encourage them to:

  • Use MFA for custodian logins.
  • Create strong, unique passwords and use a manager.
  • Confirm any money-movement request by calling your published number.

Being transparent builds trust and reinforces your duty to put clients first.

Conclusion

Cybersecurity isn’t just an IT issue — it’s part of your fiduciary and compliance responsibility.

Make October the month you:

  • Rehearse your plan
  • Update your policies and records
  • Show you’re in control when it matters most

If your firm wants help running a tabletop exercise or needs a ready-to-use cybersecurity packet (policies, logs, and checklists) contact Stile Compliance today.

“To err is human. To really foul things up requires a password reset.”

/by

Write What You Know and Know What You Write

Read more
/by