What to Do When an Employee’s Device Is Stolen: A Compliance Checklist for RIAs

What to Do When an Employee’s Device Is Stolen: A Compliance Checklist for RIAs

In today’s highly mobile and interconnected world, the loss or theft of an employee’s laptop or mobile device can be a significant compliance risk—especially for Registered Investment Adviser (RIA) firms who are custodians of sensitive client data. Cybersecurity breaches, regulatory scrutiny, and reputational harm are all possible outcomes if incidents aren’t managed swiftly and effectively. To help RIAs respond with confidence, here is a step-by-step checklist outlining the critical actions to take after a device theft.

1. Report the Theft Immediately

• Employee notification: The affected employee should immediately notify their supervisor and your firm’s compliance officer or IT security contact.

• Police report: File a report with local law enforcement and retain a copy for documentation and potential insurance purposes.

• Internal incident log: Document the incident in the firm’s security and compliance incident tracking system.

2. Disable Access and Lock the Device

• Remote wipe/lock: If the device was enrolled in a Mobile Device Management (MDM) or remote wipe solution, trigger a remote lock and data wipe.

• Revoke credentials: Disable the user’s access to:  - Firm email systems  - CRM platforms  - Trading and portfolio management systems  - Cloud storage platforms

• Monitor for suspicious activity: Check logs for unauthorized access attempts or unusual login behavior after the device was lost.

  
  

3. Evaluate the Data Exposure Risk

• Encryption status: Determine whether the device was encrypted.

• Password protection: Confirm whether the device was password-protected or used multi-factor authentication (MFA).

• Data types on device: Assess whether the device stored:  - Personally identifiable information (PII)  - Client account numbers or investment details  - Confidential firm data or communications

  
  

4. Notify Clients and Regulators if Necessary

• Client notice: If sensitive client data may have been exposed, prepare client notifications in compliance with state and federal breach notification laws.

• SEC/State notice: Depending on the severity and impact, consider notifying the SEC or relevant state securities authority.

• Cyber insurance carrier: Alert your cyber insurance provider to assess whether a claim or response support may be needed.

  
  

5. Conduct an Internal Review and Post-Incident Analysis

• Compliance documentation: Update your Written Information Security Program (WISP) and internal compliance manual to document the incident and response.

• Root cause analysis: Conduct a full review to understand how the incident occurred and identify any gaps in:  - Device management  - Employee training  - Network access controls

• Reinforce training: Conduct a cybersecurity refresher with employees, highlighting mobile device security best practices.

  
  

6. Update Technology and Procedures

• Review MDM implementation: Ensure all future mobile and laptop devices are enrolled in device management systems with remote wipe capabilities.

• Data access limits: Move toward centralized cloud-based document storage and restrict local file storage.

• Deploy endpoint protection: Use tools like endpoint detection and response (EDR) to monitor and control devices even when they’re off-network.

  
  

Final Thoughts

For RIAs, the theft of an employee’s device isn’t just an inconvenience—it’s a compliance event with potential regulatory consequences. By preparing a response plan in advance and acting swiftly, firms can significantly reduce their exposure and demonstrate due diligence to regulators and clients alike.