How Independent RIA And Broker-Dealer Firms Should Rethink Cybersecurity


By Steve Youhn, ProEquities

I recently attended an industry event where I had a chance to catch up with an old friend who runs his own independent advisory business. He told me about a phishing attack against one of his staff.
The threat was caught in the nick of time, and purely by good luck. My advisor friend said the bigger problem was that, while his team had already gone through cybersecurity training offered by his broker-dealer / corporate RIA, the training program had little relation to the device, practices and policies that the phishing attack nearly exploited.
This exemplifies an overarching cybersecurity issue for the independent financial advice industry:  It’s a fast-evolving field with too many firms relying on patchwork “solutions” that bring together a mix of organically built and multiple third-party service providers working in their respective silos. More often than not, these different components of a firm’s cybersecurity solution set don’t communicate well with one another, if at all.
And while technology and service providers are highly fluid, the industry should expect two constant factors that will continue to define the future of cybersecurity for independent firms and their affiliated financial advisors:  First, cyber criminals will continue to intensify efforts to attack BDs and independent advisors to gain access to sensitive client data and, worse yet, their investment funds.  And second, regulators will continue to put pressure on firms and advisors to do more to protect clients from cybercrimes.
It’s past time for the independent financial advice industry to significantly rethink how to structure cybersecurity technology solutions, with these four key building blocks of cybersecurity best practices in mind:
  1. Maintain up-to-date systems and software safeguards. RIAs and BDs should require all personnel to install the latest version of the most effective company-approved software for anti-virus and anti-malware protection, firewalls and patches to fix vulnerabilities in operating systems.
  2. Protect physical devices from intrusion. Desktops, laptops, tablets and smartphones should not be accessible to unauthorized users — even if these devices are left unattended or lost. Encryption, passcodes, auto-locks and screen locks can make it much harder for would-be hackers to penetrate the system.
  3. Tailor and customize advisor training. Cybersecurity tutorials and guides are only worthwhile if they apply to the people using them. Preventative education must match the daily experience of advisors. For example, offerings should simulate phishing attacks that typically confront financial professionals, like fraudulent emails requesting client data or account changes.
  4. Monitor security gaps from the home office. Instead of simply hoping that teams in the field follow the necessary procedures, headquarters should actively monitor the activity of advisors and home office personnel from the back end and in real time send out notifications of needed corrections, always attempting to minimize workflow disruptions.
While many firms have accomplished aspects of the above, the next evolutionary step needed is to combine these features into one integrated solution that boosts data sharing capabilities and, thus, simplifies the trouble-shooting process.
Achieving a fully integrated cybersecurity platform is less burdensome than it might first appear, provided that independent broker-dealers abandon tendencies towards wanting to build proprietary solutions versus working with dedicated third-party providers.
By carefully selecting the right third-party provider, independent broker-dealers can stick to their core competency of wealth management while doing what it takes to protect advisors and their clients from cyber criminals.
Of course, not all partners are capable of serving the unique needs of each firm and its advisors. Just as the financial advice industry is comprised of many different types of firms that vary greatly by size, service model and client base, the right tech partner must offer solutions that fit accordingly.
But going the other route of developing a comprehensive proprietary cybersecurity platform in-house simply isn’t a wise alternative in today’s landscape.  This approach requires a large, cutting-edge IT department of experts and equipment that would be difficult to manage and expensive to maintain.
Moreover, firms that take a “build it ourselves” mindset also must guard against mission-creep that gradually moves the firm away from its core competencies and drags it into the business of technology creation for its own sake.
As much of a nuisance as regulators, firms and advisors feel cybercrimes are becoming to the industry, the common sense approach is to assume that such attacks will only continue to intensify as criminals gain access to more effective digital weapons to hack into the disparate tools staffers, vendors and clients use every day.
That means it’s very much incumbent on firms to reimagine how they have traditionally viewed cybersecurity, even if that calls for starting over from the top down so all the relevant pieces in a system talk to each other seamlessly. Anything less would be a disservice to the millions of retail investors who rely on all of us to steward their wealth.

Steve Youhn is the Chief Compliance Officer of ProEquities (, an independent RIA and broker-dealer headquartered in Birmingham, Alabama.