Top Data Privacy & Cybersecurity Considerations in 2025 for RIAs

1. Compliance and Regulations

  • Ensure adherence to SEC regulations with appropriate privacy and cybersecurity policies tailored to SEC requirements.

  • Stay current on SEC-proposed cybersecurity and data privacy rules and risk alerts to help ensure policy alignment with the SEC’s expectations for registered funds and advisers.

  • Incorporate state-specific regulations related to data protection and cybersecurity (e.g., California Consumer Privacy Act and Texas Data Privacy and Security Act) into company privacy and cybersecurity policies.

  • Policies and procedures should encompass risk assessment, incident response, and data breach notification procedures. This includes planning for legal obligations to provide notice of reportable breaches to regulators and investors.

  • Implement compliance with the General Data Protection Regulations (GDPRs) if dealing with investors who are European residents.

2. Contract Drafting and Revision

  • Review client agreements, subscription documents, and investor disclosures to ensure compliance with privacy laws and cybersecurity best practices.

3. Vendor Risk Management

  • Assess vendor’s security practices and protocol for personally identifiable information.

  • Add Service Provider[1] statutory obligations, required by state consumer data privacy laws and cybersecurity controls into applicable agreements.

  • Conduct due diligence on third-party Service Providers to ensure they adhere to cybersecurity best practices and regulatory requirements.

4. Regular Compliance Reviews

  • Conduct regular reviews and audits of cybersecurity policies, procedures and controls, at least annually, to ensure ongoing compliance with SEC regulations and best practices.

5. Regulatory Examination Preparation

  • Ensure preparedness for SEC examinations related to cybersecurity practices, including documentation readiness and compliance audits.

6. AI and Legal Tech Risk Assessment

  • Counseling and policy/contract drafting and review.

  • Gap/vulnerability assessment for types of AI usage (product v. customer facing).

  • AI responsible use policy. SOURCE

Advisor Armor