After more than 30 years of managing technology in high-level positions in a variety of industries, Wes Stillman founded Lenexa, Kan.-based RightSize Solutions in 2002. It was the first provider of outsourced technology management and cloud-based cybersecurity solutions for registered financial advisors. In 2018 it launched the RightSize Shield, which it calls “the most comprehensive, flexible and completely compliant cybersecurity solution for RIAs.”

Stillman believes that a “smart” technology infrastructure goes beyond protection against cyberattacks. It can improve efficiency, serve as a platform for growth and, ultimately, increase a firm’s valuation, he said.

He recently spoke to Financial Advisor about the growing cybersecurity threats financial advisors face and what they can do about them.

How did you come to focus your business on financial advisors?

When I got the opportunity to start RightSize Solutions it was very obvious to me that most of the IT providers out there were great at IT but were trying to provide IT to all companies. You can't do cybersecurity as one size fits all. It has to be built around how you work, how you work with your clients and what your clients are going to accept from a security standpoint.

Are there specific threats that RIAs face?

RIAs make great targets for the bad guys out there. Most of them are small organizations, up to as much as 30 to 40 people. And they deal with a lot of money, from a few hundred million dollars to a few billion under management. Over the past year it has become more obvious how vulnerable they are. The SEC has really put a major focus on it, along with the states. In 2015, the SEC started talking about guidelines for cybersecurity. Since then it has moved from not really understanding what needs to be in place for RIAs to being well educated about cybersecurity. We've seen the SEC exam go from four to five questions about cybersecurity policies to more than 40 very detailed questions. So there's no doubt that there is a need for these firms to really engage with someone who understands what the needs are and can help them focus on that.

Do RIAs take cybersecurity seriously?

We hear all the time from RIAs, “I know I need to do something, but I don't know where to start.” The SEC’s focus is on enforcement; it doesn’t help you create a policy on what you should be doing. Our job is to help advisors not only understand what should be in place, but actually make that happen for them. Most RIAs today do have a cybersecurity policy, but it's usually created through their compliance department. For example, they may have a policy that you’re only supposed to get email on your personal phone if it's encrypted. That's a good component to the policy. But they have no way of knowing if everyone in their company is complying with that, and no way of enforcing the policy.

Instead of just reporting on what is out of compliance, we want to make sure that their policies are being adhered to. It’s a proactive approach as opposed to a reactive one. We do all the monitoring and reporting on the back end of things, which is important, but once we have that policy in place, we enforce those policies with technology. We work as part of your team—with your compliance group, your operations group. Cybersecurity is not something you can just buy. It's a combination of awareness, training and enforcement, and it’s ever evolving.

What's the biggest cybersecurity vulnerability for RIAs?

Email, absolutely. But every single device you use to access something on the internet becomes a vulnerability point.

How do RIAs ensure that their clients are not at risk from hackers?

That's the $64,000 question. RIAs are in business to provide excellent service, so when they get an email from a client seeking help, they naturally want to make that happen. Most of the fraud cases we see have come from the client side. That's a difficult position for RIAs to have to deal with. Sometimes they will do everything correctly on their end and the bad actors will still get around it.

For example, we know of a case where the RIA did everything they were supposed to do. They called the client to verify all their information, but the hackers had hacked into the client’s account and responded to the advisor with all the valid information, including the client's phone number and signature. The RIA transferred $400,000 to the hacker’s bank account, yet they did everything correctly. The point is you want to be in the best position you can be in to prevent this.

How do you prevent incidents like that from occurring?

You have to have the protocols in place to do the best job you can to protect your client and yourself. We have multifactor authentication and we have conditioned access. Those are two key steps that we enforce. And you have to ensure that your client is coming from a compliant device, otherwise you're not getting in. But even if all that fails, we have reporting that alerts us where people are logging in from. If the email is coming from North Korea, that’s an obvious red flag. We monitor all emails and verify that all account information is valid. All that is being monitored and reported back to us.

Is cybersecurity expensive?

We are a complete IT department at about half the price of what you would pay if you bought everything à la carte or did it yourself in-house. We’re kind of a combination of infrastructure as a service, software as a service, and a managed security service provider all rolled into one. We handle all the licensing; you have access to our help desk and our private cloud. We offer discounts on cybersecurity insurance. More importantly, we save advisors money in terms of time and productivity. For example, what if you lose your laptop or it’s stolen? In our case you can simply go to any computer and securely log into our private cloud platform and continue to be productive until we fix the issue or get you another secure device. You're not just dependent on that individual device. You can continue working without missing a beat.