It was March. The annual compliance review was done. The managing partner forwarded the report to the team with a single line: “We passed. Nice work.”
Fourteen days later, an employee at the same Chicago-area investment firm clicked a link in what appeared to be a DocuSign notification. It wasn’t. The attacker had been inside the firm’s network for eleven days before anyone ran a routine file access report and noticed something was wrong.
The audit had reviewed policies, checked documentation, confirmed that the right boxes were checked. It never checked whether anyone was watching the network in real time. That gap cost the firm over $200,000 in incident response costs, client notifications, and legal fees — none of which were covered by their cyber liability policy because the breach involved an unmanaged endpoint that wasn’t listed on the policy.
This scenario plays out more than most Chicago financial firms want to admit. And it points to a fundamental misunderstanding of what a cybersecurity audit actually measures.
The difference between ‘compliant’ and ‘secure’
Compliance frameworks — FINRA Rule 4370, SEC Regulation S-P, the NIST Cybersecurity Framework — were designed to establish minimum standards. They are baselines, not finish lines. Passing an audit means you met a threshold at a specific point in time, under specific conditions, evaluated against a specific checklist.
It does not mean your systems are actively monitored. It does not mean your employees can identify a phishing attempt. It does not mean an attacker who gained access yesterday would be detected today.
The firms that experience the fewest incidents aren’t the ones that pass the most audits. They’re the ones that treat security as a continuous operational discipline — not an annual event.
The 6 gaps regulators find most often in Chicago financial firms
After 17 years serving Chicago’s financial sector, these are the vulnerabilities we encounter most consistently — in firms of all sizes, from boutique RIAs to mid-sized wealth management practices.
1. No centralized access logging.
Regulators want to know who accessed what, and when. Most firms can tell you their policy. Very few can produce an actual access log from 90 days ago. Without centralized logging, there is no audit trail — and no way to detect unauthorized access after the fact.
2. Personal and unmanaged devices on the network.
When employees access client data from personal laptops or mobile devices, those devices fall outside the firm’s security controls. No mobile device management (MDM) means no encryption enforcement, no remote wipe capability, and no visibility into what’s installed. FINRA examiners specifically look for this.
3. No written incident response plan.
SEC Regulation S-P requires financial firms to have written policies for protecting customer information — including what to do when a breach occurs. Roughly half the firms we assess either don’t have one or have a document so outdated it references systems they no longer use.
4. No documented security awareness training.
Human error is responsible for the majority of successful breaches. Regulators know this and ask for evidence of annual training. Not just that training was offered — but that completion was tracked and documented. Most firms have sent a link. Almost none can show a completion record.
5. Unpatched software on machines that touch client data.
Software vendors release patches for a reason: to close vulnerabilities that have been discovered and, often, actively exploited. When a machine running client portfolio software hasn’t been patched in six months, every known vulnerability in that software is an open door. We see this constantly.
6. No third-party vendor risk assessment.
Your custodian, your portfolio management platform, your document signing tool — every third-party application that touches client data is a potential entry point. Regulators increasingly expect firms to document their vendor relationships and assess the security posture of each one. Most firms have no process for this at all.
What Chicago financial firms are getting wrong right now
The most common mistake we see isn’t negligence — it’s assumption. Principals assume that because their custodian has enterprise security, their own environment is secure by extension. Associates assume the IT person handles it. The IT person, if there is one, assumes the compliance consultant covers the security side.
Nobody owns it. And the gaps accumulate in the white space between those assumptions.
Smaller Chicago firms — boutique RIAs, family offices, independent broker-dealers — are particularly exposed because they operate with the same regulatory obligations as large institutions, but without dedicated security staff. The assumption that small firms aren’t targets is demonstrably false. Attackers specifically seek out smaller firms because the controls are lighter and the data is the same.
What year-round cybersecurity actually looks like
Closing the gap between compliance and actual security requires shifting from an audit mindset to a managed security mindset. Concretely, that means:
- Managed detection and response (MDR): continuous monitoring of your network, endpoints, and user activity — not just a quarterly scan.
- Automated patch management: every device on your network patched on a defined cycle, with documentation of what was applied and when.
- Centralized access logging: a searchable record of who accessed what systems and when, with alerting on anomalous behavior.
- Mobile device management: all devices that access firm data — including personal phones — enrolled in MDM with encryption and remote wipe enforced.
- Annual security training with tracked completion: not a video link in an email. A documented program with completion records suitable for regulatory review.
- Written incident response plan, tested annually: a document your team has actually read, with clear roles, escalation paths, and notification procedures.
None of this is exotic. It’s what competent managed security looks like for a firm of your size, and it’s achievable without a large internal IT team.
How CMIT Chicago helps financial firms stay ahead
CMIT Chicago has served Chicago’s financial community since 2008. We work with wealth management firms, independent broker-dealers, family offices, and financial advisory practices firms that carry significant regulatory obligations and cannot afford the reputational cost of a breach.
Jeremy Treister, our founder and principal, built CMIT Chicago specifically to serve Chicago’s business community with the kind of proactive, relationship-based IT management that large national providers don’t offer. In 17 years and across more than 200 Chicago clients, we have never had a client experience a data breach.
That record isn’t a product of good fortune. It’s the result of treating security as an operational discipline, not a compliance checkbox.
If your firm’s last cybersecurity review was an annual audit, it’s time to have a different conversation. We offer a free security assessment for Chicago financial firms, a plain-language review of your current posture, your regulatory exposure, and what managed security looks like for your specific environment.
Book a free Security Assessment with Jeremy Treister
https://outlook.office.com/bookwithme/user/20a8de76b48d4bafb2524bf66e224cf7@cmitchidt.com?anonymous&ismsaljsauthenabled
