Insights for

Your Incident Response Plan Is Written

The SEC required it. Your virtual compliance officer delivered it. The incident response plan is done. Most RIAs stop right there. That’s the problem. Compliance satisfies the regulator. What happens at 2am on a Saturday is a different question entirely.

Chris Adams, CEO — Adams Technology Group
The plan is not the protection

Hiring a virtual compliance officer and drafting an incident response plan is a meaningful first step, and the SEC is right to require it. But RIAs who treat that document as the finish line are confusing the fire drill with the sprinkler system. The incident response plan tells everyone what to do after a breach is confirmed. It governs client notification, internal escalation, vendor coordination, and regulatory reporting. These frameworks are not hard to build, and a capable compliance officer can produce a solid one.

What the incident response plan does not do is stop the breach from happening, detect it while it is underway, or limit how long an attacker has undetected access to your environment. That requires a fundamentally different set of tools and a fundamentally different posture.

★ The parallel every executive already understands
Physical Security

A building evacuation plan tells employees how to exit safely when the fire alarm sounds. It does not prevent the fire, detect smoke early, or call the fire department.

Cybersecurity

An incident response plan tells your firm how to respond once a breach is known. It does not prevent the intrusion, detect an attacker moving through your systems, or alert anyone at 2am.

The sprinklers, smoke detectors, and monitored alarm system are the controls that actually limit damage. In cybersecurity, those are your monitoring and detection tools, not the response plan.

The question every RIA principal needs to ask is not “do we have an incident response plan?” It is: “would we know within minutes if an attacker was inside our systems right now?” For most firms, the honest answer is no.

Two postures. One outcome separates them by miles.

Every firm sits somewhere on a spectrum between fully reactive and genuinely proactive. The reactive firm waits: for the attacker to announce themselves with a ransom demand, for a regulator to call, or for a client to notice something wrong with their account. The proactive firm has systems that see threats as they develop, alerts that fire in real time, and people who respond before damage compounds.

Reactive Posture

Learn of breach from the attacker

Client reports suspicious account activity

Regulator notification triggers discovery

Days or weeks of undetected access

Incident response plan activated too late

Security posture

Proactive Posture

Threat detected within minutes of activity

Automated alert fires; phone call is made

Analyst triages and responds, day or night

Attacker contained before lateral movement

Incident response plan activated with data

The distance between these two columns is not a technology gap. It is a governance and configuration gap. The tools to achieve the right column exist, are accessible to RIAs of any size, and can be deployed as a coordinated stack. The decision is whether to deploy them.

What a real security operations stack looks like for an RIA

A proactive security posture does not require enterprise-scale infrastructure or an in-house security team. It requires four integrated layers, properly configured and actively monitored. Together, these components form the foundation of a Security Operations Center built for the RIA environment.

01

Microsoft Business Premium

Foundation Layer

Identity management, device compliance, and baseline threat protection across the entire environment. The platform everything else integrates with and is measured against.

02

MDR

Managed Detection & Response

Human-backed monitoring and response, around the clock. Analysts triage alerts, confirm threats, and act. They do not merely log and report. This is what makes 2am coverage real.

03

ITDR

Identity Threat Detection & Response

Monitors for compromised credentials, privilege escalation, and lateral movement: the attack paths most commonly used against financial firms and most often missed by endpoint tools alone.

04

SIEM

Security Information & Event Management

Aggregates and correlates events across every system and log source. Turns raw data into actionable intelligence, and into the audit trail regulators will ask for after an incident.

These four layers, configured to work together, create something qualitatively different from any single tool in isolation: a coordinated early warning system with human response behind it. When an alert fires, whether at 10am or 2am on a Saturday, it does not sit in a queue. Automated alerts are sent, phone calls are made, and a response begins immediately.

“The question is not whether you have EDR installed. The question is who is watching the alerts and what they do when one fires at 2am.”

Most cyber liability carriers now require EDR as a condition of coverage. That is the floor, not the ceiling. EDR detects activity at the endpoint level. Without MDR (the managed, human-monitored governance layer), those detections sit until someone reviews them. For an RIA managing client assets across cloud platforms, trading systems, and custodian integrations, that gap is where breaches compound from containable incidents into reportable events.

Step two: the question nobody asks until everything is offline

The incident response plan and the security operations stack address detection and response. Business Continuity and Disaster Recovery (BCDR) addresses the question that matters most when a firm is actually down: how fast can we get back? No revenue. No client calls. No email. No access to portfolios, trading systems, or compliance records. The SEC requires a BCDR plan, and for good reason: the incident response plan is worthless if the firm has no functioning infrastructure to execute it from.

During an active outage, nobody reads the incident response plan. Every minute of downtime has a dollar value, a client relationship at risk, and a regulatory clock ticking. The only document that matters in that moment is the BCDR plan, specifically the recovery time objectives it commits to.

“What is the first system we need back online? Which department gets access first? And how fast does that have to happen?”

These three questions, posed to the CEO before the crisis, determine whether the IT team has built the right architecture, or whether they will be improvising under pressure while clients wait for answers.

The recovery time objective question is almost always the one that surfaces a gap. Leadership tends to assume recovery will happen in hours. The infrastructure, as currently configured, may require days. Closing that gap requires understanding the dependencies: which systems feed which, which departments cannot function without which platforms, and where the backup and redundancy investments need to be made before the event, not during it.

From compliance-first to operations-first thinking

The shift most RIAs need to make is not a technology decision. It is a framing decision. Cybersecurity has historically been approached as a compliance obligation: check the box, satisfy the examiner, move on. The firms that fare best in actual incidents have made a different decision. They treat security as an operational function with measurable outcomes.

Compliance-First Model
  • Incident response plan drafted and filed
  • EDR installed to satisfy carrier requirements
  • BCDR plan exists; untested and undated
  • Security reviewed annually at audit time
  • Alerts reviewed when someone has time
Operations-First Model
  • IRP is living: tested, updated, and exercised
  • MDR provides human response behind every alert
  • BCDR aligned to defined RTOs with IT accountability
  • Security reviewed continuously via SIEM and ITDR
  • Alerts trigger automated response and phone calls, 24/7

What most providers offer vs. what ATG delivers

The managed security market is crowded with providers who will sell an RIA a tool and call it a program. The difference between a tool and a program is accountability: who is watching, what they do when something fires, and whether the BCDR plan has ever been tested against a real recovery scenario.

What Most Providers Offer
  • EDR deployment with dashboard access
  • Compliance documentation support
  • Alerts visible in a portal
  • BCDR template; implementation left to you
  • Business-hours response model
What ATG Delivers
  • Full SOC stack: M365 Premium, MDR, ITDR, SIEM
  • Human analysts acting on alerts, not just logging them
  • Automated alerts and phone calls when threats fire
  • BCDR built to your RTOs with tested recovery procedures
  • 24/7 coverage, including 2am on a Saturday

“Compliance satisfies the examiner. The SOC stack, the MDR layer, and a tested BCDR plan are what protect your clients when something actually goes wrong.”

The SEC examination will ask whether you have the plan. Your clients, and your firm’s continuity, depend on whether you have the infrastructure behind it. These are not the same question, and for most RIAs, the gap between them is exactly where the exposure lives.

Ready to close the gap between compliance and coverage?

ATG works with RIAs to assess their current security posture, identify the distance between their incident response plan and their actual detection capabilities, and build the operational infrastructure to close it: MDR, ITDR, SIEM, and a BCDR plan built to real recovery time objectives.

Schedule a security posture conversation