Subscribe to Newsletter
Related Posts
August 04, 2025
Clients trust advisors with critical private information. As advisors, it’s crucial to earn this trust by taking all the necessary steps to keep this information secure.
In a recent conversation, Ken Smith, Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP) spoke on the importance of cybersecurity in the financial services industry and provided useful insights that financial professionals can leverage to ensure they’re taking all the necessary steps to safeguard their clients’ sensitive data.
Throughout his career, Smith has lived in the intersection of cybersecurity and financial services, notably serving as the vice president on the red team at Bank of America. In this role, Smith simulated the role of a malicious threat actor, working to compromise the organization’s security controls and gain access to sensitive data. Smith has served in similar roles throughout his career, frequently working on behalf of clients in the financial sector.
Security Insights for Advisors
When discussing the threats that face advisors and their practices, Smith said, “My biggest concern is assuming you’re not a target…the truth is those types of businesses (RIA firms) are handling the same type of information as all these big businesses are, but they’re working with fewer people in security, a smaller knowledge base, and usually significantly less budget. And so if anything, they’re bigger targets.”
Small firms and big firms alike handle personal identifiable information (PII). This information is the exact type of data attackers will target when trying to compromise an organization. Anything that can be used to steal someone’s identity is desirable to a threat actor.
However, customer data, data and acquisitions, and compliance data are all desirable to hackers as well. These can all lead to stolen data, fines, and more if a compromise occurs.
Smith emphasized that the best step financial professionals can take in the scenario that they are responsible for their firm’s cybersecurity is promoting awareness and preventing the firm from becoming a target of opportunity. He believes this starts with education, stating, “In terms of general education, community groups and user groups are really good. Groups like InfraGard can help you get tapped into groups like the FBI, and there’s a lot of knowledge sharing that goes around.”
Smith also suggested that advisory firms working with third-party service providers or network service providers regularly meet with these third-parties to discuss what sort of risks they face and take part in developing the necessary security controls: “You want to have skin in the game to have ownership over those security outcomes.”
Understanding Social Engineering
On the less technical side of cybersecurity, financial professionals will also have to learn how to deal with social engineering. One of the most common forms of social engineering is “phishing,” a technique likely known by most. However, social engineering can refer to a variety of methods used by a threat actor to trick their way into obtaining sensitive information.
Smith began this conversation by distinguishing the difference between a phishing email and a spam email. According to Smith, a large amount of the education on social engineering suggests that inconsistencies or obvious mistakes such as a suspicious domain name indicate a phishing email. However, Smith says these emails really fall more under the category of spam. Phishing emails have grown in sophistication and tend to look more real. These are also highly prevalent, as the tools to make a phishing email require a fairly low effort and little to no cost.
In this scenario, Smith highlighted the importance of having a well-established and rehearsed policy on how to handle a compromise, “It’s not just the technology, it’s not just educating people. You have to have a process in place to respond when something goes wrong.”
Security for Independents
When working at a smaller firm, the security considerations of an advisor are often different than those of an individual at a large corporate firm. With employees often having to perform multiple roles and handle a greater variety of responsibilities, managing risk can be a challenge.
In this scenario, Smith encourages advisors to leverage third-parties to assist in a managed detection response solution, as well as the importance of cyber insurance, “You can’t do that after the fact. Once you get breached, you’re not saying, ‘Oh by the way, I need insurance.’”
In order to avoid compromises, Smith promotes diligence. Attackers often are only interested in the path of least resistance. In the event of a breach in which a threat actor is able to compromise a set of user credentials, a control as simple as multifactor authentication can be enough to dissuade a potential attacker from turning a breach into a large-scale compromise of sensitive data.
Smith also issues a warning to firms that serve high net-worth clients, stating that this can be similar to a supply chain attack. “You are a means to an end if you work with high net-worth clients. There are scenarios in which you can be the best means of compromising your clients and you need to be diligent against that.”
However, there are also some benefits that come from working at a smaller firm. The biggest security weakness of any organization is the personnel. As such, firms with a smaller staff, when well-educated, can actually leverage their size to their advantage. Smith shared, “With phone phishing, you can call and they all know each other in the office. So being at a small business can absolutely reduce the attack surface. That does mean though that your existing attack surface has to be that much more secure.”
Security When Leveraging Artificial Intelligence
Smith also discussed the prevalence of AI in the modern business world and said that this was another element that advisors would need to consider when securing their environment. “The business benefit of using these tools outweighs the risk, but it is another piece of the attack surface that is new and needs to be locked down.”
Smith emphasized the criticality of not sharing any identifiable information with AI tools, as generative AI will use all given information in training its future responses.
He also reiterated the necessity of having a structure in place that is used to establish an organization’s guidelines on the use of AI. “It’s that combination of people, processes, and technology to make sure you’re secure.”
Conclusion
Ultimately, the onus of cybersecurity falls upon all individuals within an organization, and it’s important that everyone does their part to ensure client data is being kept secure and out of the hands of malicious threat actors.
More From The College
- Explore The College’s RIA Thrival Guide
- Get key insights for uncertainty with our Advising Through Uncertainty Study
- Learn more about client trust with the Trust Certificate Program
Related Posts