Cybersecurity Risk Assessment Checklist

Document the named CISO (or virtual CISO), incident response lead, and backup deputy in the firm's WISP. NYDFS Part 500 and the SEC's proposed Reg S-P amendments both expect a designated, documented owner — not a shared inbox. Confirm coverage during PTO and CCO transitions.

Walk the written information security program against the FTC Safeguards Rule elements: risk assessment, access controls, encryption, MFA, monitoring, training, incident response, and vendor oversight. Flag any element where the written policy doesn't match current practice — auditors compare both.

List every system that holds NPI (nonpublic personal information) or client account data: CRM (Wealthbox / Redtail / Salesforce FSC), portfolio management (Black Diamond / Orion / Tamarac / Addepar), planning (eMoney / MoneyGuide / RightCapital), custodian portals, email archive, and any shadow SaaS the team has signed up for.

Score likelihood and impact for each in-scope system using the firm's risk matrix (NIST CSF or CIS Controls mapping is typical). Document residual risk after compensating controls — not just inherent risk. The aggregate rating drives whether an emergency board session is convened.

Present residual risk, top three remediation priorities, and budget asks at the next regularly scheduled board or management committee meeting. Capture the meeting minutes — SEC examiners and NYDFS regularly ask for evidence that cybersecurity reaches the board, not just IT.

A High residual risk rating warrants a same-week briefing rather than waiting for the next quarterly meeting. Walk through the specific findings, recommended interim controls, and a 30/60/90-day remediation plan with named owners.

Verify that Schwab Advisor Center, Fidelity Wealthscape, Pershing NetX360, Altruist, and the firm CRM all require MFA — preferably authenticator app or hardware key, not SMS. Spot-check a sample of advisor and CSA accounts; SMS-only fallback is a common audit finding.

Pull the HR JML log for the last 12 months and reconcile against current access lists in every regulated system. The recurring gotcha: a paraplanner who moved teams still has access to the prior team's client folder, or a terminated rep still has a Schwab login because IT closed Active Directory but not the custodian profile.

Admin rights in Tamarac, Orion Eclipse, iRebal, or Black Diamond can move money, change models, or export entire client books. Confirm each privileged user is still in role and that the count matches the last quarterly attestation.

Inventory non-human accounts: data feed credentials between the custodian and PMS, integration tokens between the CRM and planning software, vendor API keys. Rotate any key older than 12 months and disable any service account whose business owner can no longer be identified.

Verify that read access to NPI in the CRM, document portal, and custodian downloads is logged and retained per books-and-records (SEC Rule 204-2: 5 years, first 2 onsite). Sample a recent week's logs to confirm they are actually being captured, not just configured.

Map each data store to a tier: NPI (SSN, account numbers, balances), confidential (planning assumptions, meeting notes), and internal. The classification drives encryption, retention, and disposal requirements downstream.

Daily position and transaction files from Schwab, Fidelity, and Pershing often land on a network share or local drive before import. Confirm those landing zones are encrypted (BitLocker, FileVault, or AES-256 on the file server) and that the import job purges the file after load.

A backup that has never been restored is not a backup. Restore a sample of the PMS database, CRM export, and document portal to an isolated environment and confirm the data opens cleanly. Capture screenshots and the restore timestamp as audit evidence.

Pull certificates of destruction for any laptop, server, or copier hard drive retired since the last assessment. Lease-return copiers are a recurring blind spot — the multifunction unit at the front desk has a hard drive that scanned every client tax return for three years.

Confirm Smarsh, Global Relay, or Bloomberg Vault is capturing every advisor's email, LinkedIn DMs, and approved texting channel (MyRepChat, Hearsay Relate). The SEC's $2B+ in off-channel sweep penalties through 2024 came from personal text and WhatsApp use — spot-check that the policy is enforced, not just written.

Walk through a scenario where the CRM and document portal are encrypted on a Friday afternoon. Test the call tree, custodian notification, cyber insurance hotline, and outside counsel engagement. The most common gap surfaced: nobody has the cyber insurer's 24/7 hotline number in their phone.

Log each gap with a named owner, target date, and verification method. Examiners look for the loop being closed — a tabletop that surfaced gaps two years running with no remediation log is worse than not doing the tabletop.

Public companies (and many BDs) must file an 8-K Item 1.05 within four business days of determining a material cybersecurity incident. Confirm the materiality determination process is documented and that disclosure counsel is on the IR call tree. Even non-public RIAs should mirror the four-day cadence for client notification.

The amended FTC Safeguards Rule requires notification to the FTC within 30 days of discovering an incident affecting 500+ consumers. State breach notification laws (CCPA, NY SHIELD, MA 201 CMR 17) layer on top with their own timelines and content requirements. Confirm the template letter, FTC notification path, and state-by-state matrix are current.

If the primary office is down, can advisors still place trades and process distributions through the custodian's web portal from a clean device? Walk through the steps with a sample advisor on a non-firm laptop. Confirm that hardware MFA tokens travel with the advisor or are recoverable.

Revise the incident response plan with any updated phone numbers, vendor contacts, and decision-tree changes from the tabletop. Re-circulate to the IR team and capture acknowledgments — version control matters when an examiner asks which IRP was in effect during a real incident.

Critical vendors include the custodian, PMS, CRM, planning software, email archive, and managed IT provider. Refresh the due diligence questionnaire, ownership/control changes, financial health, and any reportable incidents in the past 12 months.

Read the exception sections — not just the cover page. Confirm the report covers the period since the last review with no gap, that complementary user entity controls (CUECs) the vendor expects you to perform are actually being performed, and that no material exceptions go unaddressed.

Request the vendor's remediation plan and target dates in writing. If the exception touches a control the firm relies on (encryption, access review, change management), document the compensating control the firm will run until the vendor closes the gap.

Each material vendor's MSA should commit to notification within 72 hours (or sooner) of a security incident affecting firm or client data. Older contracts often have weak or no notification language — flag for renegotiation at the next renewal.

Every vendor and its named principals should be screened against the OFAC SDN list at onboarding and re-screened at least annually. Tools like Refinitiv World-Check, LexisNexis Bridger, or ComplyAdvantage automate the recurring screen — manual one-time checks at onboarding are a recurring exam finding.

The CCO signs the consolidated vendor risk register and attaches it to the assessment file. The register should show every material vendor's tier, last DD date, SOC 2 status, and any open exceptions — this is the single document an examiner will ask for first.