Does fiduciary duty cover cybersecurity?

Yes. The SEC has made clear through enforcement actions, risk alerts, and the amended Regulation S-P that an investment adviser's fiduciary duty to protect client assets extends to protecting client data. The reasoning is straightforward: unauthorized access to client information enables unauthorized access to client assets. An adviser who fails to implement reasonable cybersecurity safeguards is not meeting their fiduciary obligation, regardless of whether a breach actually occurs.

What happens if a client is harmed by a cybersecurity failure?

If a client suffers financial harm due to a cybersecurity failure at your firm — for example, a wire fraud enabled by a spoofed email from your unprotected domain — the consequences extend beyond the immediate loss. The SEC can bring enforcement action for failure to maintain adequate cybersecurity policies under Reg S-P. State regulators can pursue separate actions. The client may have grounds for a civil claim based on breach of fiduciary duty. And the reputational damage from clients learning their adviser had no basic email authentication in place can be irreversible.

How do I document that I'm meeting my cybersecurity fiduciary duty?

Documentation should include a Written Information Security Program (WISP) that addresses your specific risks, a tested incident response plan, evidence of ongoing monitoring (not just annual point-in-time assessments), records of staff training, vendor due diligence documentation, and proof that you are actually implementing the controls you claim to have. The SEC expects policies that are adopted and followed — not policies that exist on paper while the firm operates differently in practice.

April 3, 2026·10 min read

Your Fiduciary Duty Now Includes Cybersecurity — What That Means for RIAs

You became an investment adviser because you take the fiduciary standard seriously. You put client interests first. You disclose conflicts. You act with care. But the SEC has made something uncomfortably clear: if you are not protecting client data with the same diligence you apply to their portfolios, you are falling short of that standard.

How fiduciary duty expanded to include data protection

The fiduciary duty of an investment adviser has never been limited to investment selection. It has always encompassed the obligation to protect client interests broadly — including safeguarding confidential information. What changed is not the principle. What changed is the threat landscape and the SEC's willingness to enforce.

The SEC's reasoning is direct: client assets include client information. A bad actor who gains access to a client's personal data — Social Security numbers, account details, beneficiary information — can use that access to reach the assets themselves. Unauthorized access to data enables unauthorized access to money. The two are not separate concerns. They are the same concern at different stages.

This is not theoretical. The SEC's Office of Compliance Inspections and Examinations has made cybersecurity a priority in every exam cycle since 2020. Deficiency letters routinely cite inadequate email authentication, missing incident response plans, and failure to implement policies that the firm claimed to have in place.

Reg S-P formalizes the cybersecurity fiduciary standard

Regulation S-P is the regulatory mechanism that translates fiduciary principle into specific cybersecurity requirements. The 2023 amendments to Reg S-P removed any ambiguity about what the SEC expects from registered investment advisers:

Written policies and proceduresdesigned to protect customer records and information — not generic templates, but policies that address your firm's specific systems, data flows, and risks.
An incident response programthat is documented, tested, and ready to execute. The SEC does not accept "we will figure it out when it happens" as a plan.
Timely notification to affected individuals when a breach occurs. The amended rule sets specific timelines and requirements for what that notification must include.
Oversight of service providers who have access to customer information. Your custodian, your CRM vendor, your email provider — if they touch client data, your obligation extends to ensuring they protect it.

The message is plain: Reg S-P compliance is not a technical checkbox. It is the codification of your fiduciary duty to protect the information that protects your clients' wealth.

The scenarios that keep compliance officers up at night

Abstract obligations become concrete when you see how they play out. These are not hypothetical. Every one of these has happened to a registered investment adviser in the past three years.

Wire fraud from spoofed emails

An attacker sends an email that appears to come from your domain — your firm name, your logo, your adviser's signature block — instructing a client to wire funds to a new account for a "time-sensitive investment opportunity." The client complies. The money is gone.

If your domain had no DMARC policy, no SPF record, or a misconfigured email authentication setup, that spoofed email was trivially easy to send. A free domain scan would have revealed the gap in seconds. The SEC will ask why you did not know. Your E&O carrier will ask the same question.

Client portal breach

A client's portal credentials are compromised through a phishing attack that originated from — or appeared to originate from — your firm. The attacker downloads statements, tax documents, and beneficiary information. They now have everything they need for identity theft or targeted social engineering of the client's other financial relationships.

The client trusted you with that information. They chose your firm in part because they believed you would protect it. That trust is the foundation of the advisory relationship, and it does not survive the discovery that basic protections were missing.

Data exposure during M&A

Your firm is acquiring a book of business or merging with another practice. During the transition, client data is transferred between systems, shared with new staff, and potentially exposed to third-party consultants facilitating the deal. If either firm lacks adequate data protection controls, the transition becomes a window of vulnerability.

The SEC has specifically noted that firm transitions are high-risk periods for client data. The fiduciary duty does not pause during a merger. If anything, it intensifies — because the client did not choose to have their data handled by the acquiring firm's systems.

Phishing from your own domain

This is the scenario most advisers do not realize is possible. If your domain lacks proper email authentication (DMARC, SPF, DKIM), anyone on the internet can send emails that appear to come from your firm. Not a close imitation — an exact match. Your domain, your name, delivered to your clients' inboxes with no warning. The technical barrier to this attack is effectively zero when authentication is missing.

What documentation demonstrates you are meeting this duty

The SEC does not expect perfection. No regulator expects you to prevent every possible attack. What they expect — and what your fiduciary duty demands — is evidence that you are taking reasonable steps, that you know what your risks are, and that you are actively managing them.

Written Information Security Program (WISP)

This is your foundational document. It should describe the administrative, technical, and physical safeguards your firm has implemented to protect client information. It should be specific to your firm — not a template you downloaded and never customized. It should be reviewed and updated at least annually.

Incident response plan

A documented plan for how your firm will detect, respond to, contain, and recover from a cybersecurity incident. It should name specific people with specific responsibilities. It should include contact information for your legal counsel, your technology providers, and your regulators. And it should be tested — a tabletop exercise at minimum — so that when something happens, you are not reading the plan for the first time.

Continuous monitoring evidence

Annual assessments are a starting point, not an endpoint. The SEC has made clear that point-in-time compliance snapshots are insufficient. You need evidence of ongoing monitoring: regular vulnerability scans, email authentication verification, access reviews, and documentation that findings are acted on. A dashboard that shows your security posture in real time is worth more than a 200-page assessment that sits in a drawer for 364 days.

Staff training records

Your people are your first line of defense and your most likely point of failure. Document that they are trained on phishing recognition, password hygiene, data handling procedures, and incident reporting. Document the training dates, the content covered, and who attended. Do it at onboarding and at least annually after that.

Vendor due diligence

Every third party with access to client data is an extension of your fiduciary obligation. Document how you evaluate their security practices, what contractual protections you require, and how you monitor their ongoing compliance. SOC 2 reports, security questionnaires, and contractual data protection obligations are the baseline.

The reputational dimension

Regulatory penalties are measurable. Reputational damage is not. Consider what happens when a client learns that their adviser — the person they trusted with their retirement, their children's college funds, their estate plan — had no email authentication in place. No DMARC. No SPF. Nothing preventing anyone on the internet from sending emails as the firm.

That client will not parse the technical details. They will understand one thing: their adviser did not take basic steps to protect them. And they will tell other clients. They will tell their CPA. They will tell their attorney. In a business built on referrals and trust, a single cybersecurity failure can unwind years of relationship building.

The advisers who take this seriously are not doing it because the SEC told them to. They are doing it because protecting clients is what fiduciaries do. The regulation just makes it enforceable.

Where to start

If you are an RIA principal reading this and realizing you have gaps, the path forward is not complicated. It just requires the same intentionality you bring to every other aspect of your fiduciary obligation:

Know your current posture. Run a free domain scan to see what your email authentication looks like right now. This takes 30 seconds and will tell you immediately whether your clients can be phished from your domain.
Get your WISP in order. If you do not have a Written Information Security Program, or if yours is a generic template you have never customized, that is your first priority.
Implement email authentication. DMARC, SPF, and DKIM are table stakes. They are not optional security enhancements — they are the minimum standard for preventing domain spoofing.
Build your incident response plan. Document who does what when something goes wrong. Test it. Update it.
Establish continuous monitoring. Compliance is not an annual event. Your threat landscape changes daily. Your monitoring should reflect that.

Your fiduciary duty does not stop at the portfolio. Find out if your clients can be phished from your domain.

Run a free domain scan