RIA supply chain cybersecurity laptop

Are RIAs Accountable for Breaches That Happen at Companies They Don't Control?

Technology
February 17, 20268 min read

Back to RIA Tech Advisors Blog

The most dangerous moment in your firm's security might not be when something breaks. It might be when everything appears to be working exactly as it should.

This is the uncomfortable realization changing how the smartest RIA owners think about protecting their clients.

The Security Playbook That Stopped Working

For years, the approach made perfect sense. Build strong firewalls. Monitor who's trying to get in. Train your team to spot suspicious emails. Lock down the perimeter and sleep better at night.

Then the rules changed.

Attackers try less to break through your defenses. They found something far more effective: walking right past them, hidden inside the software you already trust.

The recent Notepad++ software compromise revealed how this works. For six months, malware sat quietly in a widely used application. No forced entry. No obvious warnings. No dramatic breach. Just patient, invisible access to business systems.

Operations continued normally because, from a technical standpoint, everything was normal. The software was working exactly as designed. That was precisely the point.

The 267-Day Reality Nobody Wants to Discuss

Here's the statistic that should keep RIA owners up at night: these “supply chain” attacks take an average of 267 days to detect and contain.

Let that sink in for a moment. Nearly nine months of silent access.

Think about what happens in your firm over nine months. How many wire transfers get processed? How many client conversations happen? How many retirement plans get built? How many estate documents get reviewed?

Now imagine someone watching all of it. Recording all of it. Waiting for the perfect moment to act.

You're not just storing spreadsheets and account numbers. You're storing your clients' life plans. Their retirement dreams. Their children's education funds. Their legacy strategies. The deeply personal information they've trusted you to protect.

And here's the accelerating trend: 30% of all data breaches now involve a third party, representing a 100% increase year over year. What does this mean? Nearly one in three successful attacks doesn't target your firm directly. Instead, hackers compromise a vendor you trust (your CRM provider, portfolio management software, email service, or document storage company) and use that trusted relationship to access your client data.

Your firm becomes the victim even though the initial breach happened at a company you don't control. And you're still accountable to your clients and the SEC.

This changes the questions smart RIA owners need to ask themselves.

What Shifts When You Stop Looking for Hackers

The transformation isn't about buying more security tools. It's about fundamentally rethinking what protection means when threats arrive through trusted channels.

The firms adapting fastest are doing three things differently:

They're mapping their software ecosystem with the same rigor they apply to client portfolios. Every application. Every integration. Every vendor with access to client data. If they can't see it, they can't protect it.

They’re skeptical of quiet days. When systems run smoothly for months, they're asking what might be happening beneath the surface rather than assuming everything's fine.

They're building response plans before crisis hits. They know exactly who to call at 2 AM. They've documented their communication strategy. They've tested their backup systems. Preparedness has become their competitive advantage.

The experience they're selling to clients has evolved, too. It's no longer just "we'll grow your wealth." It's "we protect your future by staying ahead of what's coming."

This makes their job easier, not harder. When you've prepared, daily uncertainties no longer consume your mental energy.

Three Questions That Transform Your Security Posture

Question 1: "Who in our firm owns ongoing vendor security oversight, and how is that documented?"

If you can't immediately name the person responsible, you've identified a critical gap. Assign a specific owner who maintains your vendor inventory, reviews security certifications, and tracks updates. Document vendor responsibilities in writing, including review schedules and escalation procedures. Without clear ownership and written procedures, vendor oversight becomes an assumption rather than a practice.

Question 2: "What would we do if we discovered a breach six months from now that started today?"

This question forces you to build your crisis playbook now, not during the crisis. Walk through the scenario. Document every step. Know your legal obligations. Identify your communication team. Test the plan quarterly.

Question 3: "Who on my team knows how to verify that our trusted software is still trustworthy?"

Knowledge gaps become security gaps. Someone needs to own supply chain visibility. Someone needs to understand which applications can update themselves, who authorizes those updates, and how to audit what changed.

These aren't IT questions. They're strategic business questions.

The Transformation Starts With Awareness

The best RIA owners aren't the ones with perfect security. Perfect security doesn't exist when threats arrive through the tools you need to run your business.

The best RIA owners are the ones who've prepared for an imperfect reality.

They've made the identity shift from "I hope we're protected" to "I know exactly what we'd do." They've stopped treating cybersecurity as a compliance checkbox and started treating it as a core business capability.

They've accepted that the absence of alerts doesn't mean the absence of risk.

The next time your systems run perfectly for a week straight, pause for a moment. Ask yourself what you might be missing. Consider what could be happening in the quiet spaces between your monitoring tools.

Because the smartest threat isn't the one that announces itself. It's the one that waits patiently, hidden in plain sight, for exactly the right moment.

Your clients trust you with their futures. Make sure your definition of protection has evolved to match the threats they'll never see coming.

Key Takeaways

  • The 267-day gap is your biggest vulnerability. Supply chain attacks take an average of 267 days to detect and contain, giving attackers nearly nine months of silent access to observe your operations and client data.

  • Normal operations can hide serious threats. The most dangerous security incidents don't announce themselves with alarms; they arrive through trusted software working exactly as designed.

  • Third-party breaches have doubled, and they're now unavoidable risks. 30% of all data breaches now involve a third party, a 100% year-over-year increase. This means nearly one in three attacks don't target your firm directly but instead compromise a vendor you trust (like your CRM, portfolio software, or email provider) and use that access to reach your client data. Your vendor ecosystem has become a primary attack vector, and you remain accountable even when the initial breach happens outside your control.

  • Visibility trumps prevention in modern security. When threats hide inside trusted systems, you need monitoring that tracks behavioral patterns and anomalies rather than just blocked intrusion attempts.

  • Preparedness is the new competitive advantage. Firms that build crisis response plans before incidents occur can respond decisively while competitors scramble, protecting both client relationships and firm reputation.

  • Security is a strategic business capability, not an IT problem. The identity shift from hoping you're protected to knowing what you'd do transforms cybersecurity from a cost center into a competitive differentiator.

Frequently Asked Questions

Q: How is a supply chain attack different from a regular cyberattack?

A: Supply chain attacks exploit the trust you place in legitimate software and vendors rather than forcing their way through your defenses. Instead of breaking in, attackers compromise a trusted application or service provider that already has authorized access to your systems. This makes them nearly impossible to detect with traditional security tools because the malicious activity arrives through channels you've specifically authorized. The breach looks like normal business operations until it's too late.

Q: If my security software isn't alerting me to problems, does that mean we're safe?

A: No, the absence of alerts is not the same as the absence of risk, especially with supply chain attacks. These threats are designed to operate silently within systems that appear to function normally. Your security tools are primarily looking for unauthorized access attempts, not malicious activity hiding inside authorized software. This is why visibility into behavioral patterns and anomalies is now more important than perimeter defenses alone.

Q: What's the single most important step an RIA firm should take first?

A: Create a complete inventory of every software application and vendor that has access to client data. Document what each system does, who can authorize updates, and how these systems connect to each other. This visibility is the foundation of any effective security strategy. You cannot protect your software supply chain if you don't know what's in it or how it works together.

Q: Our firm uses major, reputable software vendors. Aren't they responsible for security?

A: While vendors have security responsibilities, the ultimate accountability for protecting client data rests with your firm. Even major, reputable vendors can be compromised, as we've seen with high-profile supply chain attacks. The SEC holds RIA firms responsible for cybersecurity regardless of where the breach originated. Your clients will blame you, not your software vendor, if their data is compromised. This is why you need visibility and response plans that assume any vendor could be compromised.

Q: How do we balance security investment with all our other business priorities?

A: Reframe security from a cost to a strategic capability that enables growth and protects everything you've built. The average RIA firm with $250+ million in assets now spends $15,000 annually on cybersecurity, but one successful attack can cost millions in breach response, regulatory fines, and lost clients. More importantly, robust security becomes a selling point with sophisticated clients who understand these risks. The question isn't whether you can afford to invest in security; it's whether you can afford not to.

Custom HTML/CSS/JAVASCRIPT
supply chain cybersecurityRIA security strategythird-party breach preventionfinancial advisor data protectionsoftware supply chain riskinvestment advisor cybersecurityclient data securitytrusted software vulnerabilitiesRIA compliance securitycybersecurity preparedness
I’m Chris Meacham, founder of Now IT Works, where I’ve been helping RIAs and growing businesses turn IT headaches into IT roadmaps for nearly 30 years.

Chris Meacham

I’m Chris Meacham, founder of Now IT Works, where I’ve been helping RIAs and growing businesses turn IT headaches into IT roadmaps for nearly 30 years.

LinkedIn logo icon
Back to Blog