How Can a Small Advisory Practice Economically Be as Cyber-Secure as Possible?

Cybersecurity is a risk that applies to firms both large and small without discrimination. Even very small advisory firms, which I’ll define as having one to five staff for purposes of this discussion, have a wealth of information worth safeguarding.

Cybercrime is often a crime of opportunity. Hackers are metaphorically going door to door (computer to computer) jiggling doorknobs to see which company is unlocked and a ripe target. At CSS, we are frequently asked by small practices about what steps they can take to improve their cybersecurity. My advice is to focus on the quick wins and the most cost-effective solutions. The goal isn’t to build Fort Knox, but to be a little more secure than the next company to take the target off your back. And it’s important to keep in mind that small firms are in fact a target. Many small firms believe they are not on a hacker’s radar, but hackers know that small firms are more likely to have weaker defenses.

Cost-effective solutions include:

  • Keeping your software and operating system patched, so that vulnerabilities can’t be exploited
  • Being aware of social engineering and phishing risks, and refreshing your ability to detect them through regular training, so that you think twice before clicking that email or opening that attachment you weren’t expecting, or that you call a client to verbally verify the wire instructions they emailed you before wiring money out
  • Using encryption whenever feasible to send and store data. Bitlocker encryption at rest comes by default now on Windows 10 machines, for example, so if you have that and it’s enabled, your laptop is encrypted.  Using secure file-sharing portals is generally more secure than sending clients confidential files via unencrypted email, because then if an email account is compromised, the data isn’t just sitting there in the email account.
  • Finally, enabling two-factor or multi-factor authentication wherever possible

If you can tackle the above four bullets, you can greatly reduce your cyber risk without spending a lot. Once you have those items in place, it’s reasonable to consider next steps. The SEC and state regulators do expect even small firms to have cybersecurity policies and procedures, so that’s an area in which many firms turn to us for assistance when they’re ready.

I think the important thing to keep in mind is that some of the cyber best practices above can be implemented for free or for little to no cost. The practical approach is to get those cost-effective solutions in place first, and then as budget allows, try to tackle some of the other aspects. Hackers won’t take it easy on you just because you have a smaller firm. But for a large percentage of cyberattacks (other than highly sophisticated nation-state attacks, which even large firms have trouble defending against) you don’t need to be faster than the bear, just faster than the other guy running from the bear.


For more cybersecurity help, here are some helpful resources:

Ask us how we can help tailor a package to meet your needs. Fill out our form here and receive our free checklist for evaluating policies for cyber insurance coverage.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

Cayman Islands Data Protection Law Nears Taking Effect

Cybersecurity regulations have landed ashore on the islands, and life is about to become anything but a beach for firms forced to comply with the Cayman Islands’ new Data Protection Law (DPL), slated to take effect September 30, 2019. With provisions largely mirroring the EU’s General Data Protection Regulation (GDPR), entities with a presence or … Continued

SEC Risk Alert Puts Spotlight on Principal Trading, Agency Cross Trades

On September 4, 2019, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued another risk alert, this time on “Investment Adviser Principal and Agency Cross Trading Compliance Issues.” While not wildly informative, the Risk Alert summarizes several issues identified during examinations of the last three years and reminds us of … Continued

SEC Issues Guidance to Investment Advisers on Proxy Voting

At its August 21, 2019 Open Meeting, the Securities and Exchange Commission (“SEC”) voted 3-2 to issue guidance to assist registered investment advisers (“RIAs”) in carrying out their proxy voting responsibilities. While the guidance didn’t break a lot of new ground, it clarified the SEC’s expectations for investment advisers in voting client proxies and engaging … Continued