Cybersecurity Checklist for Financial Advisors & Insurance Agencies
Advisory practices and agencies sit on complete financial identities — accounts, SSNs, statements, beneficiaries — under regulators who now audit cybersecurity explicitly. The SEC, FINRA, and state insurance departments (via the NAIC model law) all expect documented programs, not good intentions. This checklist maps to what examiners actually ask.
The threats that actually hit advisory and insurance practices
Client impersonation and fraudulent disbursements
Attackers compromise a client's email, then request withdrawals or beneficiary changes from the real address — defeating firms that trust email identity.
Advisor inbox compromise
One advisor mailbox exposes statements, forms, and enough context to socially engineer both clients and custodians.
Vendor and BOR data sprawl
Client data spread across CRMs, custodians, carriers, and quoting tools multiplies breach exposure beyond your own systems.
How many of these boxes can you actually check?
Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.
Get Your Free Security GradeThe checklist
1.Enforce MFA on email, CRM, custodian, and carrier portals
quick winEvery regulator's exam checklist starts here, because every real incident does too.
2.Verify disbursement and beneficiary changes by phone at a known number
quick winClient-impersonation fraud beats email-only verification; custodians increasingly require documented call-backs anyway.
3.Adopt a written information security policy (WISP) and review annually
an afternoonSEC/FINRA/NAIC frameworks all require a documented program — undocumented security is nonexistent security to an examiner.
4.Encrypt devices and use secure portals instead of email attachments
an afternoonStatements in email are examiner findings and breach events waiting; portals solve both.
5.Inventory vendors holding client data and collect their security attestations
ongoingRegulators hold you responsible for vendor diligence; a simple annual attestation file answers the exam question.
6.Run annual security training and phishing tests; keep records
ongoingTraining-with-records is explicitly required under NY DFS 500 and expected in SEC exams.
7.Back up books-and-records systems per retention rules, tested
an afternoonRegulatory retention obligations survive ransomware; your backups are a compliance system, not just insurance.
8.Have a written incident response plan with regulator notification steps
an afternoonNotification clocks (72 hours under NY DFS; new SEC rules) start at discovery — the plan must exist before the incident.
Frequently asked questions
Which cybersecurity regulations actually apply to a small advisory firm?
SEC-registered advisors face Regulation S-P and the new cybersecurity rules; broker-dealers add FINRA expectations; insurance producers face state adoptions of the NAIC Insurance Data Security Model Law (most states have adopted it); New York licensees face DFS Part 500. The overlap is friendly: MFA, written program, training, vendor diligence, and incident response cover the core of all of them.
What do examiners actually ask about cybersecurity?
Your written policy, MFA status, training records, vendor list with diligence evidence, incident response plan, and how you verify disbursement requests. Documentation is the exam — a firm doing everything right undocumented fails questions a documented mediocre firm passes.
Are small practices really exam targets?
Yes — the SEC has brought enforcement actions against small firms specifically for weak safeguards after account-takeover incidents, and state insurance regulators apply their data-security laws to agencies of every size (with limited small-business exemptions that still require breach notification).
How many of these boxes can you actually check?
Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.
Get Your Free Security Grade