An independent cybersecurity review across the largest U.S. investment firms — national brokerages, custodians, and asset managers including Charles Schwab, Fidelity, and Vanguard — reveals a surprisingly wide range of results. These firms safeguard trillions in client assets, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each firm’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 70% to 44% — 8 of 18 (44%) scored below 60%.
Cybersecurity Scores of Major U.S. Investment Firms
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Firm | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | Charles Schwab | schwab.com | 70% | Strong |
| 1 | Fidelity Investments | fidelity.com | 70% | Strong |
| 1 | Interactive Brokers | interactivebrokers.com | 70% | Strong |
| 1 | E*TRADE | etrade.com | 70% | Strong |
| 5 | Franklin Templeton | franklintempleton.com | 65% | Good |
| 6 | Vanguard | vanguard.com | 64% | Good |
| 6 | State Street | statestreet.com | 64% | Good |
| 8 | PIMCO | pimco.com | 60% | Above Average |
| 8 | Invesco | invesco.com | 60% | Above Average |
| 8 | Ameriprise Financial | ameriprise.com | 60% | Above Average |
| 11 | Raymond James | raymondjames.com | 59% | Average |
| 12 | Merrill | ml.com | 56% | Average |
| 13 | BlackRock | blackrock.com | 55% | Average |
| 14 | Morgan Stanley | morganstanley.com | 54% | Average |
| 14 | Edward Jones | edwardjones.com | 54% | Average |
| 16 | Robinhood | robinhood.com | 52% | Below Average |
| 17 | T. Rowe Price | troweprice.com | 48% | Below Average |
| 18 | LPL Financial | lpl.com | 44% | Weak |
What the Results Reveal
- Even the strongest firms top out at 70% — Schwab, Fidelity, Interactive Brokers, and E*TRADE share the lead, but none reach the showcase posture (85%+) that the best regional banks achieve.
- Vanguard (64%) and the world’s largest asset managers — BlackRock (55%), State Street (64%) — sit in the middle of the pack alongside Raymond James (59%), and several household names trail: Morgan Stanley (54%), Robinhood (52%), T. Rowe Price (48%), and LPL Financial (44%).
- Scale is no guarantee of strong email hygiene: the gap from top to bottom is 26 points, and most of the field sits below an above-average posture.
- Without an enforced DMARC policy, criminals can spoof a firm’s own domain to phish clients or to send fraudulent account-transfer and distribution instructions.
Why This Matters for Investment Firms
Broker-dealers and registered investment advisers are bound by the SEC Regulation S-P safeguards (including the 2024 amendments), FINRA supervisory rules, and GLBA. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against the business email compromise (BEC) and account-transfer fraud that target client funds.
Check any firm’s posture at audit.emailmenow.com/?industry=financial-advisors.
See also — state audits
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to distribution or transfer instructions, and train every client-facing team.
Protect client assets. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=financial-advisors.
Contact EmailMeNow IT Consulting for help with SEC Reg S-P-aligned email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.