We’re entering an era where cybersecurity is going to take center stage as a concern of registered investment advisors. Consider that cybercrime has increased by more than 600% since the start of the Covid-19 pandemic. According to one study, it’s expected to nearly double over the next three years.
The Securities and Exchange Commission has meanwhile indicated that it’s going to take a more proactive posture to make sure that firms are protecting their clients, so it’s more critical than ever that RIAs take steps to protect those clients—and, of course, their own businesses. And when it comes to cyberattacks, it’s not a matter of “if.” It’s a matter of “when.”
The reality is that the risks can’t be completely eliminated. But they can be effectively mitigated.
What Cyber Risk Looks Like For RIAs
Just as financial services firms have a fiduciary responsibility to their clients, business and stakeholders, they also have a responsibility to protect their clients’ data and the security of their assets. It’s important to recognize that this risk extends beyond identity theft. Advisors have access to a great deal of their clients’ financial data, so much so that it leaves the clients quite vulnerable when it’s unprotected. That risk is further amplified when you consider the deeply personal nature of an advisor-client relationship, which is rooted in trust. If an advisor is compromised by a cyber event, it can be hard to rebuild clients’ broken trust. And beyond the legal issues an advisor could face, their reputation could suffer as well.
What Pending Regulation Means For RIAs
Last year, the SEC began requiring public companies to disclose a breach within 72 hours, and the disclosure requirements for RIAs and smaller businesses are expected to be released this spring. Yet many small business owners don’t even know they’ve had a breach within 72 hours, let alone how to approach disclosing it to clients.
The SEC also requires registrants to describe how they will assess, identify and manage the material risk they face from cybersecurity threats. If you were to ask RIAs to do this today, many wouldn’t be prepared.
Those that can, however, will stand out: RIAs who demonstrate that they’re adhering to the highest cybersecurity standards can show clients that they’re committed to protecting them and their future.
An Action Plan
RIAs are financial experts, but they’re often not cybersecurity experts. And building a cybersecurity program in house is costly. That’s where trusted strategic partners come in. Having an enterprise-wide cybersecurity solution—instead of disparate tools—that quickly identifies and removes vulnerabilities gives RIAs more power than ever to scale and better serve their clients while knowing their businesses are secure.
Advisors may believe they’re protected in various ways and later learn that a specific protection was not in effect. Many don’t even know to whom to go when they have questions, which is why it’s important to find a strategic partner with in-depth expertise, someone who can better understand the most important cyber risks, tools and industry-specific regulations, as well as perform the proper due diligence on the vendors and applications they use within their business. By tapping into experts who can give customized insights and support, RIAs can focus on what they do best—powering wealth for their clients and business.
The Future
These cybersecurity risks are not going away, especially as technology footprints grow and the regulatory landscape continues to evolve. Now is the time for advisors to adopt a fiduciary-like mindset for cybersecurity and take a proactive approach to addressing the needed controls that will help them meet regulatory requirements. By failing to evaluate how to protect their clients and business today, RIAs risk falling victim to the next bad actor and legal repercussions.
Steve Bomberger is the head of SEI Sphere. Gabriel Garcia is the managing director of RIA client experience at SEI.