TECHNOLOGY
risks to clients and who , more importantly , have offered services to help , including education that teaches clients what they need to do to better protect themselves , will be in a fundamentally better position to maintain client trust after a breach than those who have ignored the issue .
Third Party Trust Breached advisory firms also run the risk of being removed from their custodians ’ platforms . Indeed , on multiple occasions custodians have sent letters to a firm ’ s clients after an attack informing them their wealth manager ’ s access has been terminated because of inadequate controls and that the clients need to find another organization to hold their assets .
Undoubtedly , explaining such letters to your clients will be challenging . But custodians must do this . They have deep pockets , and the client likely will go after them for any lost assets that the advisor cannot or does not reimburse . And the generally poor level of cybersecurity practices by the wealth management profession and the limited cybersecurity awareness of their clients creates an indisputable trillion-dollar hazard for their service providers .
Consequently , if your firm is breached and loses client assets , it should expect teams of people from regulators or custodians to closely scrutinize your cybersecurity policies , procedures and technology . With the help of counsel and IT experts , you will have to somehow persuade custodial management that such a breach is very unlikely to reoccur . But if your firm has been lax in any of these areas , the team will likely conclude that a continuing relationship with your firm exposes the custodian to extraordinary risks .
Regulators Watching
Being breached also triggers a host of potentially problematic regulatory issues . Registered investment advisors are obligated under the SEC ’ s Regulation S-P to have “ written policies and procedures that address administrative , technical , and physical safeguards to protect ” customer information , as well as a program that
If your firm is breached and loses client assets , it should expect teams of people from regulators or custodians to closely scrutinize your cybersecurity policies , procedures and technology .
is “ reasonably designed to detect , respond to , and recover from unauthorized access .” New proposed rules will also require firms to have “ adequate cybersecurity ”; to selfreport any breaches to the SEC within 48 hours of discovery ; and to disclose any of these breaches in detail to every current , future and prospective client .
Furthermore , if a material breach occurs at your firm , you must both notify clients and well as disclose the incident on Form ADV . This includes describing the nature of the breach , its impact on your business , and any steps you have taken to reduce the harm to your clients . Beyond SEC requirements , there are state data breach notification laws that typically require RIAs to notify affected clients if their personal information has been compromised . These notifications are often sent directly to clients and may or may not appear within publicly available disclosures .
A breached firm could quickly find itself in the unenviable position of trying to explain why its cybersecurity program should be considered adequate , regardless of whether it lost client assets . At a minimum , the wealth manager will need clear written records that demonstrate its adherence to its policies and procedures . Those breached firms that have regularly and systematically educated their employees about cyber risks and supervised staffers ’ online activities will be far more credible to third parties when it comes to defending the robustness of their cyber defenses .
However , your firm ’ s overall strategy for addressing and minimizing cyber risks will likely also be scrutinized . For example , it is going to be almost impossible to convince either custodians or regulators that your firm is serious about cybersecurity if it relies on a typical local IT service provider for its technology . The business model of these organizations is to take off-the-shelf software and rent it to multiple small companies . Their expertise is in providing a lowcost , easy-to-use technology solution , and their experience in managing cybersecurity risks and addressing breaches is generally negligible at best .
Everything — including your business — that is connected to the internet is eventually going to be breached . The only question is this : How much lasting damage will it create ?
MARK P . HURLEY is the CEO of Digital Privacy & Protection . BRIAN HAMBURGER is the President & CEO of MarketCounsel Consulting and Chief Counsel of the Hamburger Law Firm .
28 | FINANCIAL ADVISOR MAGAZINE | MARCH 2025 WWW . FA-MAG . COM