The cost for RIAs looking for a pen test depends on what they want Rook to do—they can do it for under $10,000, says Gordon, especially if the client wants to check just one location. The firm provides step-by-step guides for remediation. Often this means beefing up e-mail security, training staff and putting a process in place (if, say, fake fire inspectors show up).

Many hackers work by cross-checking all the stuff available on the internet, especially on the dark web. Greg Fulk, a COO at Valeo Financial Advisors in Indianapolis, asked Rook to test one of its custom applications.

“They will try to guess usernames and passwords,” Fulk says, “and anytime these great big public websites are hacked something like Yahoo, they are going to try to find somebody in the Yahoo hack of 2013 who has the same credentials as one of my employees.” That employee likely uses the same password at work that he or she uses to shop for Christmas presents at Home Depot or Amazon, he says. Rook was able to find those employee credentials on the dark web and try them on Valeo’s site.

Pearson at Legend Financial says that her firm has been looking into a pen test, but that there’s a bit of a learning curve. The expense of the test aside, the scope is often too broad or nonspecific for a registered investment advisor, she says.

“With the package that we’re looking at doing, it’s probably going to cost us $10,000 to start with,” she says. Legend also had a problem with its insurance—“they won’t give us parameters of what we should be doing to be considered a better risk.”

Still, she thinks Legend is ahead of the curve, and she sees few other RIA firms even looking into these tests. Phishing and ransomware are the two biggest threats, she says. Legend has tackled that problem by making sure all e-mail comes into the company’s one server—which is not connected to its network. That provides a level of security.

Legend also sends cybersecurity questionnaires to outside vendors who will have access to its system—something she says not all advisories do. Third-party software developers pose big risks.

A lot of third-party web developers are coding for functionality for the end user, say Rook’s Gordon. They are not coding with security in mind.

Pearson says there are steps you need to take if you do face a breach. “One of the things we learned up front is you don’t automatically just reach out to your clients and say, ‘Hey, somebody broke into our system.’ There are channels that need to be followed. You need to involve the police. In some cases, you might also need to be involving the FBI.”

Jenna Holm at Accredited Investors, which had $1.6 billion in AUM at the end of last year, said her firm has been doing vulnerability testing for a couple of years and does it annually. “Costs for a small business is anywhere from $5,000 to $20,000 and it really depends on how thorough a job the company is doing.