For several years, the call for advisors to prepare for rising and rapidly evolving cybersecurity threats has gone throughout the industry. In March 2023, the Technology Tools for Today (T3) conference highlighted cybersecurity as a key issue for wealthtech. Unfortunately, progress in security still lags behind the evolution of threats.
Wealthtech demos for other areas of a tech stack may feel more exciting, and there is always some reluctance to allocate budget to functions that are viewed as cost centers, but cybersecurity risks and sophistication of cybercriminals only strengthen over time.
As Brian Hamburger, Chief Counsel of The Hamburger Law Firm, recently told us, “While there is no shortage of important issues, perhaps the most urgent is the impact of cybercrime and its threat to so quickly erode the client trust that this profession relies upon. With the SEC and other regulators poised to issue new regulations, it will be yet another reason for investment advisors to reallocate resources and fortify their cybersecurity protections.”
Advisors Need More Preparation
Joel Bruckenstein, Producer of the T3 conference and Publisher of the T3 Technology Hub, states, “The typical advisor is not well positioned for cybersecurity,” pointing to their lack of expertise and knowledge on cybersecurity.
John O’Connell, Founder and CEO of The Oasis Group, agrees, saying that advisors typically are “weakly positioned to understand their cybersecurity risk because they have not completed a comprehensive assessment of their cybersecurity posture.”
O’Connell recounts his own experiences working with advisors: “Many smaller firms outsource their cybersecurity function and do not check to ensure that their service provider is providing continuous service. We find that firms of all sizes do not have an incident response plan with the contact information for law enforcement and their vendors.”
Advisors’ preparation is “never strong enough,” says Scott Lamont, Managing Director of Consulting Services at F2 Strategy, who points to evolving threats to security despite advisors’ investments in monitoring, access controls and education.
Lamont’s slightly more upbeat assessment of the general situation is: “Advisors are much better positioned than they were years ago but should be careful not to get too comfortable.”
Sharing Lamont’s more positive but cautious viewpoint, Sid Yenamandra, Founder and CEO of Surge Ventures, says that advisors are “moderately prepared, often relying on basic measures like antivirus software and firewalls,” but cautions that “many lack comprehensive strategies, making their position relatively weak against sophisticated threats.”
Risk Areas
Often advisors treat cybersecurity as a check box for processes and procedures that are so complex only experts can manage it. While there’s solid logic in this approach, leaders of advisory firms don’t need to become tech experts. Just a basic education on the mechanisms and risks will enable them to actively engage the experts to install and maintain superior solutions.
Yenamandra points out many potential cybersecurity snares for advisors, including insider threats, phishing, insufficient vendor due diligence, ransomware, data breaches and regulatory non-compliance.
Echoing Yenamandra’s concerns about vendors, O’Connell says, “Advisors struggle to understand where their data is stored or who has access to their data beyond their SaaS vendors. Many SaaS vendors leverage third-party software, cloud hosting data centers, and, in some cases, third-party consultants. Many breaches happen through these extended access points. Advisors can protect their firm with an open discussion with their SaaS vendors.”
Bruckenstein says that advisors may not understand the separate functions of cybersecurity and IT, leading many firms to combine these functions. “More sophisticated firms understand that IT people are not cybersecurity experts and that you need checks and balances between the two. For example, programmers might be under pressure to roll out software rapidly. Cybersecurity teams work to ensure it is safe, even if it takes a bit longer.”
Lamont cautions advisors against complacency, pointing to increasing “sophistication of spoof texts and voice messages.” He adds that cybersecurity must be “a topic of continuous education.”
Where Advisors Are Winning
Lamont says that advisors are gaining ground in education. “Information about cybersecurity is more accessible and understandable than it has ever been.” According to Lamont, “Wealth firms are much better at educating and training their teams about the threats and how to avoid them than in the past.”
Bruckenstein also points to education as an area where advisors are advancing, as well as “investing heavily to combat bad actors.”
Areas of improvement include advanced encryption, AI-driven threat detection and enhanced training programs, according to Yenamandra. “Collaboration with cybersecurity experts and adoption of cutting-edge technologies are also fortifying their defenses.”
O’Connell takes a different tack, stating that “many wealthtech firms in our space are not helping advisors to gain ground in cybersecurity.” He says that wealthtech firms must ensure they have a chain of custody and encryption for client data, and that advisors must use multifactor authentication.
“The industry as a whole needs to move from a ‘trust but verify’ approach to a zero trust approach in regards to cybersecurity,” O’Connell adds.
The Regulatory Angle
Bruckenstein explains how the regulatory environment addresses cybersecurity: “There are cybersecurity regulations at the federal and state level that set a minimum bar that advisors are required to need. There are also emerging regulations regarding AI.”
While noting that regulation can be good, Bruckenstein points to potential downsides, including cost and complexity, unclarity, and uncertainty resulting from changing regulations.
Yenamandra also says the cost and complexity of compliance is a drawback, because it can stress advisors’ resources, “potentially creating gaps in smaller firms’ defenses.” At the same time, he notes the positives: “Regulatory changes have heightened awareness and standards for cybersecurity, leading to better practices.”
Better client protection is one of the positives Lamont sees in the regulatory environment, with the caveat that we may not know how much regulation has improved the industry “because all the hacks and breaches that have been prevented through improved controls don’t get any publicity.” Nonetheless, “regulation forces investment and adherence, and adherence means there are more controls and better education in place.”
O’Connell points to stricter data protection and regular audits as improvements, “reducing the risk of data breaches and increasing client trust.” He also shares Bruckenstein’s and Yenamandra’s concerns on the cost and complexity of compliance.
Cybersecurity In The Coming Years
While predictions are never perfect, educated extrapolation of current trends can provide a measure of guidance for advisors trying to get ahead of the curve on cybersecurity.
Bruckenstein sees regulators taking a tougher stance in reaction to breaches, but leaves room for political differences. “Democratic administrations tend to be more aggressive when it comes to rule-making and enforcement, but overall, I think everyone understands that the risks are real, and they are not going away.”
Yenamandra says that “cybersecurity will likely evolve with increased AI integration, automated compliance checks, and real-time threat intelligence sharing.” He predicts, “Continuous regulatory updates and education will be crucial to staying ahead of emerging threats.”
With client information readily available and at low cost to criminals, O’Connell points out that bad actors can merge data sets “to create a shockingly detailed view of your client.” When combined with AI, detailed client data can be used to create “deepfakes,” or realistic likenesses of your clients, and advisors must prepare to guard against this.
While acknowledging that many perceive AI as a threat, Lamont points out that AI can be used to enhance threat detection and transaction monitoring, which “will enable wealth firms to provide greater access to data with less risk of exposing it to bad actors.”
Larry Roth is CEO of Wealth Solutions Report and Managing Partner of RLR Strategic Partners, and can be reached at larry.roth@rlrstrategicpartners.com.
