NAPFA ADVISOR

Back to NAPFA ADVISOR

 

COMPLIANCE CORNER

Print this Article
Facebook   Twitter   LinkedIn   YouTube

Cybersecurity in Wealth Management: A Growing Risk, A Shared Responsibility

By Kerry Rider

Cybersecurity has rapidly evolved from a back-office IT concern to a front-and-center business risk, especially for wealth management firms. This is not just an IT matter—it is a significant compliance concern. With regulators sharpening their focus and cybercriminals targeting high-net-worth individuals, Fee-Only advisors must recognize that cybersecurity is no longer optional; it’s a fiduciary imperative.

Why Wealth Managers Are Prime Targets

Wealth management firms serve some of the most financially valuable clients in the world, and the volume of material personally identifiable information (PII) maintained by them is a gold mine for cybercriminals. In short, wealth management firms are prime targets for bad actors. Whether the goal is financial fraud, extortion, or data theft, attackers know breaching a wealth manager’s system can yield high rewards.

The threat landscape is expanding. Phishing schemes are growing more sophisticated, ransomware attacks are more frequent, AI impersonation is rampant, and business email compromise remains a persistent risk. These threats don’t just jeopardize client data—they can disrupt operations, damage reputations, trigger regulatory scrutiny, and cost a firm a lot of money. They can even cause a firm to shut down.

Regulators Are Watching Closely

Cybersecurity is now a top regulatory priority at the SEC and in state and foreign jurisdictions. Regulatory examinations routinely include robust questions about a firm’s cyber governance—through an IT lens but also through a compliance lens. Regulators expect wealth managers to implement information security programs that reasonably protect sensitive data, minimize operational disruptions, and enable rapid response and recovery from cyber incidents. They also expect firms to regularly train staff on cybersecurity controls. The recent amendment to Regulation S-P demonstrates the SEC’s emphasis on cybersecurity and incident response, and firms must address these issues before the upcoming regulatory deadlines. 

Importantly, regulators have made it clear: while firms can outsource IT and cybersecurity, they cannot outsource accountability. Even if a firm relies on external providers to manage its IT and cybersecurity infrastructure, the ultimate responsibility for cyber risk management remains with the firm itself. However, firms shouldn’t just be concerned with regulatory risk—reputational risk and business risk should also drive wealth managers to invest in cybersecurity.

The MSP Dilemma: Support vs. Risk

Many wealth management firms, especially smaller or mid-sized ones, depend on managed service providers (MSPs) to build and maintain their IT infrastructure. This reliance is understandable; IT expertise is scarce and expensive, and MSPs offer scalable solutions.

However, this model also introduces new risks. The wealth management firm may have limited visibility into the MSP’s staffing quality, response protocols, or internal controls. If the MSP is breached, the firm could suffer significant losses and disruptions. Additionally, information flow can slow down, and firms may struggle to maintain real-time oversight.

The takeaway? MSPs can be valuable partners, but they are not a substitute for internal governance or cybersecurity oversight. Wealth managers must actively monitor their IT and cybersecurity programs, even when outsourced.

Cyber Risk Is a Business Risk

Cybersecurity is not just a technical issue; it’s a business risk that touches every part of a firm’s operations. For Fee-Only advisors, this risk intersects directly with fiduciary duty. Clients trust advisors to safeguard their financial futures, and that trust includes protecting their personal and financial data.

Cyber incidents can erode client confidence, trigger legal liabilities, and result in regulatory penalties. As threats grow more advanced, staying ahead is essential—not just to avoid disruption but to preserve trust.

What Fee-Only Advisors Can Do Today

Cybersecurity doesn’t have to be daunting. Here are a few practical steps Fee-Only advisors can take to strengthen their cyber posture:

  • Conduct a Cyber Risk Assessment: Understand your firm’s vulnerabilities and prioritize remediation efforts. If you lack the expertise in-house, outsource this function to someone other than your MSP.
  • Review MSP Contracts and Oversight: Ensure your agreements include clear expectations for performance, reporting, and prompt breach notification.
  • Establish Governance Protocols: Define who is responsible for cybersecurity oversight and how decisions are made.
  • Train Your Team: Human error is a leading cause of breaches. Regular training can reduce risk significantly.
  • Assess Your Incident Response Plan: Be prepared to respond quickly and effectively if an incident occurs. Run a desktop drill for preparation. Cover your firm with cyber insurance—allow the experts to step in when you need them.
  • Seek Outside Help: Collaborate with a qualified cyber expert—not just an MSP—to watch the house.

In today’s environment, cybersecurity is not just an IT issue; it’s a shared responsibility across the firm. For Fee-Only advisors, that responsibility is amplified by the trust clients place in them. By taking proactive steps, maintaining oversight, and investing in a program that fits the firm’s needs, wealth managers can protect their clients, their businesses, and their reputations.

Kerry Rider, a Partner and Head of ACA Wealth, has decades of experience helping firms meet their compliance obligations. ACA Wealth’s team of compliance professionals is committed to helping firms navigate the shifting regulatory landscape. Learn more at www.acaglobal.com.

image credit: Adobe Stock Images

 

Back to NAPFA ADVISOR