A boutique registered investment advisor (RIA) in the Bay Area gets hit with a ransomware attack. Client data is exposed. The SEC opens an examination. Their attorney delivers the bad news: the central question isn’t whether the breach happened - it’s whether the firm had “reasonable security” in place before it did.
That two-word phrase will determine almost everything that follows.
The Problem: ‘Reasonable Security’ Sounds Clear Until You Try to Define It
If you’ve read through Regulation S-P, the FTC’s Safeguards Rule, or California’s data security statutes, you’ve noticed something frustrating: none of them hand you a checklist. They require “reasonable security measures” - and then they move on.
That’s deliberate. Regulators and legislators write these standards intentionally broad because they want them to scale. What’s reasonable for a 500-person broker-dealer with a dedicated security team isn’t the same as what’s reasonable for a 10-person independent advisory firm operating out of a shared office suite.
But here’s the real problem: that flexibility cuts both ways. Without a defined floor, small firms often assume they’re doing enough when they aren’t. They’re running antivirus and they’ve moved to the cloud, so they feel covered. They’re not.
When a breach happens - and statistically, it’s a when, not an if - regulators and breach liability attorneys look backward. They ask: what safeguards existed, what was the probability of harm, and what would it have cost this firm to implement better controls? If the answer is “the controls were affordable and the risks were obvious,” a firm that did the minimum faces real consequences.
The vagueness of “reasonable security” doesn’t protect you. It exposes you - unless you understand how regulators actually interpret it.
Why This Matters for Financial Advisory Firms
Financial advisors hold some of the most sensitive personal and financial data in existence: Social Security numbers, tax records, account balances, estate planning documents, beneficiary information. That data profile makes your clients high-value targets - and it makes your firm a regulatory priority.
Here’s the specific framework you’re operating in:
SEC Regulation S-P requires registered advisors to have written policies and procedures to protect customer records and information. As of the 2024 amendments, it also requires breach notification to affected clients within 30 days - a hard deadline that assumes you have incident detection and response capabilities already in place before something goes wrong.
The FTC Safeguards Rule applies to financial institutions broadly, including many RIAs, and it explicitly requires a written information security program (WISP) with administrative, technical, and physical safeguards. Firms with fewer than five employees get a slightly reduced requirement set - but the core obligations remain.
California’s Consumer Privacy Rights Act (CPRA) and its predecessor, the CCPA, give California residents the right to sue businesses directly if a breach results from a failure to maintain “reasonable security procedures.” That’s a private right of action - meaning your clients, not just regulators, can come after you.
The financial exposure is real: regulatory fines, civil litigation, mandatory remediation costs, and the reputational damage that follows a public breach. Security insurance can absorb some of that. But insurers are increasingly denying claims or reducing payouts when they determine a firm’s pre-breach posture was inadequate. Your policy likely has a “reasonable care” provision, too.
How to Translate ‘Reasonable Security’ Into Actual Controls
Regulators and courts use three dimensions to assess whether a firm’s security was reasonable: the probability of harm, the severity of potential harm, and the cost and burden of available safeguards. For a small financial advisory firm, that framework points toward a specific set of baseline controls.
Here’s what consistently appears across SEC examination findings, FTC enforcement actions, and state breach investigations as the minimum threshold for a firm your size:
1. Multi-Factor Authentication (MFA) on every account that touches client data. This is no longer optional. Email, your portfolio management platform, your custodian portals, your document management system - all of it. MFA is low-cost, widely available, and appears in virtually every regulatory guidance document published in the last five years. A breach that occurred on an account without MFA is very hard to defend.
2. A written information security program. You need a document - not a mental model, a document - that describes how your firm handles sensitive data, who’s responsible for security decisions, and what you do when something goes wrong. The FTC Safeguards Rule requires this. It doesn’t have to be 50 pages. It has to exist and reflect how you actually operate.
3. Encrypted email for client communication. Using personal Gmail or unencrypted business email to send statements, account numbers, or Social Security numbers to clients is one of the most common gaps we see. And it’s one of the first things regulators look at. Encrypted email services designed for professional use are inexpensive and easy to implement.
4. Endpoint protection beyond basic antivirus. Traditional antivirus catches known threats based on signatures. Modern endpoint detection and response (EDR) tools monitor behavior. For a small firm, a managed EDR solution through your IT provider is affordable - and the difference in protection is significant.
5. Vendor and third-party oversight. Many small firms assume that because their data lives in Salesforce or a cloud-based portfolio system, the vendor is responsible for security. That’s not how regulators see it. You remain responsible for the data. You need to review your vendors’ security practices, have written agreements in place, and document that review.
6. Annual risk assessment. A formal, documented risk assessment doesn’t require a security consultant every year - but it does require you to ask, in writing: what are our assets, what are our threats, what are our vulnerabilities, and what are we doing about them? Regulators look for this document. Insurers ask for it.
None of these controls require an enterprise budget. What they require is intention and documentation.
What to Look for in an IT Partner
If you’re evaluating a managed IT services provider, the right partner for a financial advisory firm isn’t just someone who keeps your computers running. You need a provider who understands your regulatory environment - specifically: Regulation S-P, the FTC Safeguards Rule, and California’s data security obligations.
Ask them directly:
- Have you worked with RIAs or other SEC-registered firms before?
- Can you help us build or update our written information security program?
- Do you provide documentation we can use during a regulatory examination?
- How do you handle vendor security reviews for the software platforms we use?
- If we had a breach tonight, what’s the first call we make, and what happens next?
A provider who can’t answer those questions confidently isn’t the right fit for a firm with your compliance obligations. The goal isn’t just operational support - it’s having a partner who helps you demonstrate reasonable care before you ever need to.
The Bottom Line
“Reasonable security” isn’t a moving target - it’s a contextual one. For a 10-person advisory firm, that means MFA, a written security program, encrypted communication, modern endpoint protection, vendor oversight, and documented risk assessments. These aren’t aspirational. They’re the baseline regulators expect and the minimum insurers want to see. Get them in place. Document everything.
Frequently Asked Questions
What does ‘reasonable security’ mean for a small RIA under SEC rules?
The SEC doesn’t define a fixed technical standard, but it evaluates reasonableness based on a firm’s size, complexity, and the sensitivity of the data it handles. For a small RIA, regulators generally expect written policies, access controls like MFA, encrypted communications, and documented incident response procedures. The 2024 amendments to Regulation S-P added a 30-day breach notification requirement, which implies firms must have detection capabilities in place before a breach occurs.
Does the FTC Safeguards Rule apply to independent financial advisors?
Yes, in many cases. The FTC Safeguards Rule applies broadly to “financial institutions,” a category that includes entities that provide financial products or services to consumers - which captures many independent advisors and RIAs. Firms with fewer than five employees face a slightly reduced compliance requirement, but the core obligation to maintain a written information security program still applies. You should confirm your specific obligations with legal counsel.
Can my clients sue me if there’s a data breach at my firm?
Under California law, yes. The CCPA provides a private right of action for California residents when nonencrypted or nonredacted personal information is exposed due to a failure to maintain reasonable security. That means clients don’t have to wait for a regulator to act - they can sue directly. Damages can range from $100 to $750 per consumer per incident, or actual damages if higher.
Will my security insurance cover a breach if I didn’t have strong security controls in place?
Not necessarily. Most security insurance policies include provisions requiring the insured to maintain “reasonable” or “adequate” security controls as a condition of coverage. Carriers increasingly ask pre-application questions about MFA, endpoint protection, and backup practices - and misrepresenting your posture, or simply not having controls in place, can result in reduced payouts or outright claim denial. Documenting your security program and controls before a breach is as important for insurance purposes as it is for regulatory ones.
If you’re working through reasonable security standards and compliance challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area - we know your world.
