Navigating Cybersecurity Compliance Amid Global Instability

As the world’s geopolitical climate grows more uncertain, financial firms find themselves on high alert, and not just in the markets, but within the cybersecurity compliance space. For Registered Investment Advisers (RIAs) and fund managers, this isn’t just a technology issue – it is a business imperative.

In recent months, global events have led to a sharp uptick in cyber threats. On June 30, 2025, the Cybersecurity & Infrastructure Security Agency (CISA), in collaboration with allies in the UK, Canada and Australia, issued a joint alert identifying financial services as a high-risk sector for foreign cyber-attacks. Iranian state actors were singled out for their efforts to exploit outdated systems, weak passwords and remote access platforms.

For RIAs and fund managers, these risks are more than abstract. A single breach can jeopardize client and investor data, disrupt operations and trigger regulatory scrutiny. This heightened level of cyber risk requires firms to go beyond the basics and build cyber compliance programs that are strategic, proactive and SEC (Securities and Exchange Commission) exam-ready. To support that effort, we have put together this roadmap to help RIAs and fund managers navigate this evolving ecosystem with clarity and confidence.

Federal Oversight: From Checklists to Accountability

While the SEC recently withdrew certain proposed cybersecurity mandates, this is not a signal of deregulation. Rather, it is a pivot toward outcome-based oversight. Under the amended Regulation S-P, RIAs and fund managers are expected to self-govern and demonstrate program effectiveness.

This includes:

• Written policies for incident detection and response
• Client breach notification protocols
• Thorough documentation of cybersecurity governance and controls

We cover this in more depth in a recent article we wrote for the New York Law Journal, entitled “Cybersecurity Under the Microscope: What the SEC’s 2025 Exam Priorities and Reg S-P Updates Mean for Private Fund Managers.” But the main takeaway that RIAs and private fund managers need to understand is this: the focus has shifted from checking boxes to proving resilience. Examiners are increasingly asking, “Can you show that your cyber compliance program works?” And if the answer is not well-documented and tested, the risk of findings and remediation increases.

State-Level Action: NYDFS Raises the Bar

As federal priorities evolve, states like New York are taking decisive action. On June 23, 2025, the New York Department of Financial Services (NYDFS) issued updated guidance urging all financial firms, including RIAs and fund managers, to strengthen their cyber compliance programs in light of rising geopolitical tensions.

Their guidance outlines concrete actions, including the following:

• Enforcing multi-factor authentication (MFA)
• Conducting frequent vulnerability scans and timely patching
• Deploying Endpoint Detection and Response (EDR) tools
• Performing third-party risk assessments
• Testing incident response and backup systems regularly

These expectations mirror the threat intelligence shared by CISA, whose June 2025 fact sheet warns that state-sponsored actors frequently leverage legitimate tools, such as remote access software and VPNs, to infiltrate networks and move laterally without detection. 

As these expectations become the new baseline, RIAs and fund managers must assess how well their internal programs align, and where there may be gaps that could leave them exposed to both cyber threats and regulatory scrutiny.

Operational Imperatives for RIAs and Fund Managers

A proactive approach to cybersecurity is no longer a bonus, it is a business necessity. Regulators, clients and investors expect firms to show not just awareness but action. For RIAs and fund managers, the following priorities should be top of mind:

• Infrastructure Hardening – Apply MFA across all systems, keep software and platforms up to date and eliminate unnecessary access privileges.

• Risk-Based Segmentation – Perform regular cyber risk assessments tailored to your firm’s workflows, data types and third-party integrations.

• Vendor Management -Include cybersecurity obligations in vendor contracts, ask for assurance reports and audit providers when appropriate.

• Employee Awareness – Create ongoing training programs to address phishing, password management and escalation procedures.

• Incident Response Planning – Maintain a written and regularly tested incident response plan. Conduct tabletop exercises at least annually.

• Board and Executive Oversight – Cybersecurity should be a standing agenda item at leadership meetings. Accountability must start at the top.

• Documentation and Reporting – Keep detailed records of all cybersecurity policies, risk reviews, staff training, incident response exercises and vendor reviews. This documentation is what regulators will want to see during an exam.

Putting these fundamentals into practice isn’t just about satisfying regulators, it is about building a culture of resilience that can withstand increased cyber and operational pressure. But technical controls and documentation are only part of the equation. To truly stand out and withstand scrutiny, firms must also recognize the strategic value of a strong cyber compliance program as a signal of trust and credibility.

Why This Matters: Cybersecurity as a Trust Signal

Today’s regulatory expectations are just one part of the story. Clients and investors are increasingly evaluating cybersecurity maturity as part of their due diligence. A well-developed cyber compliance program signals that a firm is serious about operational risk and capable of protecting sensitive data and financial assets.

Meanwhile, the cost of underinvestment is steep. Firms that suffer cyber incidents may face:

• Enforcement actions and fines
• Public breach disclosures
• Reputational harm and client attrition
• Operational disruption and remediation costs

A strong cyber compliance program is not just a defense mechanism, it is a competitive differentiator. A firm with a resilient, documented and tested cyber compliance program not only reduces its risk, but enhances its credibility with stakeholders.

The bottom line: while regulatory compliance sets the minimum standard, forward-looking firms recognize that cyber compliance is also becoming a critical factor in client trust, investor confidence and long-term business value.

Final Thought: Readiness is the New Requirement

The regulatory shift toward firm-led governance does not reduce the stakes – it raises them. RIAs and fund managers must go beyond compliance to demonstrate control, readiness and resilience.

Whether guided by NYDFS, informed by CISA or reviewed by SEC examiners, the expectation is the same: your cyber compliance program must be real, documented and tested.

Cyber risk may be external, but readiness is internal, meaning you cannot control where threats come from, but you can control how ready you are. The firms that lead on cybersecurity will not just survive – they will earn trust, demonstrate leadership and protect their future in a complex and evolving landscape.

If your firm needs help developing, assessing or strengthening its cyber compliance program, visit the Cyber Compliance section of our website or reach out to Silver’s cyber compliance team at [email protected]. We are here to help you build audit-ready, resilient cyber compliance strategies that not only protect you from today’s risks but prepare you for what is next.