Advisor Domain: How Smaller Financial Firms Can Protect Themselves from Cyber Attacks


Guest Post by Michael Pinsker, Founder & President | Docupace

Cybersecurity is a hot topic in the wealth management industry, but in all the conversation about major breaches and new security paradigms, one audience is usually left out: small broker-dealer firms and RIAs.

90% of broker-dealers have fewer than 150 financial advisors. For obvious reasons, these firms often trail their larger counterparts in security maturity. Unfortunately, that doesn’t mean cyber criminals and regulators will take it easy on them.

Small wealth management firms usually don’t have the budget to launch state-of-the-art cybersecurity initiatives. But they can’t simply ignore cyber risk either. So how can they mitigate risk on a budget?

Here are three risk mitigation initiatives smaller firms can work on without breaking the bank.

Developing Well-Documented Policies

You can’t combat cyber attacks if you don’t have policies or procedures in place for doing so. This critical step is often overlooked by smaller firms, resulting in greater risk — and more chaos — when an attack does take place.

These policies fall into two categories: proactive and reactive. Proactive policies should cover issues like password hygiene, bring-your-own-device (BYOD), and software updates. Proactive policies should be communicated to advisors and employees and regularly enforced.

Reactive policies include incident response and disaster recovery plans. These plans can help mitigate losses in the event of a data breach. An effective incident response plan, for example, includes clearly delineated responsibilities for all leadership and answers to the following questions:

  • Who within the company should be notified first, and how should they be notified?
  • Who will be in charge of response and recovery efforts?
  • Who will conduct the forensics investigation, and how will they preserve forensics data?
  • What are the federal and state requirements for notifying clients of a data breach? How will clients be notified?

Reactive policies should be written down and made easily accessible to employees so there is no confusion about what needs to happen and who needs to take action. In addition, it’s beneficial to practice incident response and disaster recovery procedures every few months.

Security Awareness Training

A sizeable number of cybersecurity incidents are caused by employee negligence. Companies that spend millions annually on the most advanced data protection tools can still get burned by a single employee clicking a link in a spam message or falling for a phishing scheme.

For this reason, security awareness training on topics like phishing, password hygiene, and file sharing is particularly important.

For broker-dealers, training must extend beyond the back office. Firms should develop plans that incentivize their advisors to complete security awareness training as well.

Enforcement and Oversight

Having policies in place is helpful, but ultimately not enough if there is nothing to ensure adherence to these policies.

Firms must decide who is responsible for cybersecurity policy enforcement, and that individual or team should frequently test their own systems to determine whether their cybersecurity projects have been implemented effectively. In addition, firms must have a clear idea of what happens when users do not follow written policies.

FINRA suggests that firms should perform regular simulated attacks in order to measure employee compliance with security procedures, and implement “appropriate consequences for employees who repeatedly violate the firm’s phishing standards or do not demonstrate sufficient sensitivity to phishing risks.”

In a perfect world, every small firm would have the latest encryption software and cybersecurity experts on their payroll. But even when that isn’t possible, firms can still protect their assets from cyber attacks. 

Michael Pinsker has over 30 years of experience in technology and business, plus 16 years of experience in Financial Services. He holds certifications from American Board of Certification in Homeland Security in Sensitive Security Information (SII/DHS), Certified Information Assurance (CIA/DHS) and Cyber Warfare (CW TTPs/DHS).