How Can a Small Advisory Practice Economically Be as Cyber-Secure as Possible?

Cybersecurity is a risk that applies to firms both large and small without discrimination. Even very small advisory firms, which I’ll define as having one to five staff for purposes of this discussion, have a wealth of information worth safeguarding.

Cybercrime is often a crime of opportunity. Hackers are metaphorically going door to door (computer to computer) jiggling doorknobs to see which company is unlocked and a ripe target. At CSS, we are frequently asked by small practices about what steps they can take to improve their cybersecurity. My advice is to focus on the quick wins and the most cost-effective solutions. The goal isn’t to build Fort Knox, but to be a little more secure than the next company to take the target off your back. And it’s important to keep in mind that small firms are in fact a target. Many small firms believe they are not on a hacker’s radar, but hackers know that small firms are more likely to have weaker defenses.

Cost-effective solutions include:

  • Keeping your software and operating system patched, so that vulnerabilities can’t be exploited
  • Being aware of social engineering and phishing risks, and refreshing your ability to detect them through regular training, so that you think twice before clicking that email or opening that attachment you weren’t expecting, or that you call a client to verbally verify the wire instructions they emailed you before wiring money out
  • Using encryption whenever feasible to send and store data. Bitlocker encryption at rest comes by default now on Windows 10 machines, for example, so if you have that and it’s enabled, your laptop is encrypted.  Using secure file-sharing portals is generally more secure than sending clients confidential files via unencrypted email, because then if an email account is compromised, the data isn’t just sitting there in the email account.
  • Finally, enabling two-factor or multi-factor authentication wherever possible

If you can tackle the above four bullets, you can greatly reduce your cyber risk without spending a lot. Once you have those items in place, it’s reasonable to consider next steps. The SEC and state regulators do expect even small firms to have cybersecurity policies and procedures, so that’s an area in which many firms turn to us for assistance when they’re ready.

I think the important thing to keep in mind is that some of the cyber best practices above can be implemented for free or for little to no cost. The practical approach is to get those cost-effective solutions in place first, and then as budget allows, try to tackle some of the other aspects. Hackers won’t take it easy on you just because you have a smaller firm. But for a large percentage of cyberattacks (other than highly sophisticated nation-state attacks, which even large firms have trouble defending against) you don’t need to be faster than the bear, just faster than the other guy running from the bear.


For more cybersecurity help, here are some helpful resources:

Ask us how we can help tailor a package to meet your needs. Fill out our form here and receive our free checklist for evaluating policies for cyber insurance coverage.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

Proposed Amendments to Transaction Cost Calculations under PRIIPs

The European Supervisory Authorities (ESAs) recently issued a consultation paper that includes two draft proposals for changes to transaction cost calculation requirements outlined in Annex VI points 7-23, among other proposed amendments to the PRIIPs KID. The first proposal seeks to reduce the impact of negative implicit costs on net transaction cost disclosures, in addition … Continued

Introducing the Regulatory Book of Record (RBOR)

I recently had the opportunity to sit down with our Chief Product Officer Ronan Brennan to discuss regulatory data management in front of an intimate and engaged audience of CSS conference attendees in Scottsdale, Arizona. The group ranged from small fund managers to large institutional asset managers, so it was difficult to boil down the … Continued