Key tips for RIA cybersecurity

Key Points

  • The average firm spends $15,000 on cybersecurity each year, up from $12,000 the previous year, according to Schwab's 2024 RIA Benchmarking Study.1

  • Having systems and policies in place can help protect firm data and client assets.

  • The most robust cybersecurity programs bring together policies, systems, and people.

So far in 2024, we've seen more crypto scams, a cyberattack on Seattle-Tacoma International Airport, a massive AT&T data breach, and an attack on Ticketmaster. 

Hackers continue to get more sophisticated and more effective. Unfortunately, financial advisory firms are a prime target because they hold exactly the sort of personal and financial information that cybercriminals want. 

RIA firms continue to feel a sense of urgency as they build their defenses against cyberattacks. Schwab's 2024 Benchmarking Study found that the average registered investment advisor (RIA) firm with $250+ million in assets now spends $15,000 on cybersecurity, up from $12,000 the previous year .1

Staying ahead of threats means staying vigilant. Here are some essential tips for protecting your firm. 

Secure data wherever it is and wherever it goes 

Now that remote working is so common, it's especially important to keep tight control over sensitive data. In fact, 92% of firms use email encryption or a secure client portal to communicate with clients, according to the 2024 RIA Benchmarking Study.1 Using a virtual private network, or VPN, to pass any information between your home and office systems keeps that data encrypted the entire time. It's also important to keep data protected even when it's not moving. To do that, it's a good idea for employees to use a dedicated device for all work-related activity so that your firm can keep its information isolated from personal devices or accounts and can monitor data flow more effectively.

Home networks can also have security weaknesses. Make sure every device connected to a home network is up to date with the latest security patches. Using Wi-Fi encryption (such as WPA2 or the latest upgrade, WPA3, for devices that support it) and properly configured firewalls are also important elements of home network security. 

Don't let convenience become a security risk 

Securing your accounts with unique, strong passwords may require a bit more organization, but it prevents criminals from gaining the keys to your systems. Likewise, turning on multifactor authentication for all your logins provides a layer of protection that's well worth the added step. It's also helpful to turn on account alerts that warn you about unusual activity or attempts to log in to your systems. 

Many firms now offer single sign-on (SSO) for employees. This approach adds layers of security to accessing your systems and makes it easier for employees to log in because they only need to remember one strong password instead of dozens of weak, duplicative, or easily accessed passwords.

Build and reinforce your human firewall 

Making coworkers and clients aware of common cybercrime techniques could be the best preventive measure in your arsenal. The most effective—and dangerous—hacks often involve someone inside a firm unwittingly letting a criminal into the system to gather information. Generally, one realistic-looking email is all it takes. Fortunately, many firms understand the risks and are taking action. Schwab's 2024 RIA Benchmarking Study found that 97% of firms provide cybersecurity training to employees.1

Thwarting those attempts can be as simple as cultivating a culture of security among employees and clients. Emphasize the importance of double-checking contact information or asking additional questions to confirm requests before going forward. You can also run random tests to keep employees on their toes. Most people think they can spot a phishing attempt a mile away but may be surprised to find out how easily they can be fooled. It's better to fool them in a test than to have them fall for real fraud.

Don't assume third-party vendors are secure 

When it comes to technology vendors, it's critical to verify before you trust. For any third-party software or services, make sure you understand the security protocols they use to protect data on your systems, on their systems, and in transit between the two. Your contracts should also spell out their obligations in the event of a cyberattack so that, if a data breach does occur, both parties understand their responsibilities and next steps. 

Maintain a strong, safe backup system 

In a worst-case scenario, having a second copy of your critical data can be a lifesaver. For example, if you become a victim of ransomware—when hackers block access to your data until you pay them—the ability to rebuild your systems from a secure backup can save a lot of time, inconvenience, and money. 

The best backup systems take regular "snapshots" of your information and then store them somewhere off site. It's also critical to test your backup recovery system regularly so that you can feel confident that it will work when you need it.

Get insurance 

You may not be able to prevent all attacks. That's why it's essential to have insurance coverage that protects your firm and your clients' assets from devastating losses. 

RIA firms should consider three types of insurance

  1. Errors and omissions (E&O): Insurance to cover honest mistakes such as typos that lead to an employee executing the wrong trade. 
  2. Fidelity bonds: Insurance that covers firm assets and client property against malicious actors—either theft by employees or fraud by people outside your firm. 
  3. Cyber insurance: Insurance to help you get your technology systems and data back up and running after an attack. 

Promote constant vigilance 

Elderly clients are often targets for thieves and need the most help navigating a complex digital world. Staying vigilant within your firm is essential, but there's also a lot you can do to help clients protect themselves.

Many firms send clients cybersecurity tips via email or hold cybersecurity workshops. These efforts not only help protect the assets you manage, they also help strengthen relationships with clients because cybersecurity education and outreach show you're also serious about protecting their well-being. In fact, according to the 2024 RIA Benchmarking Study, 57% of firms have client education implemented—this is the lowest implementation considering employee training is 97% and even insurance is 91%.1

What you can do next

  • Explore our full suite of cybersecurity and fraud prevention resources, including some resources to share with your clients.
  • Consider a custodian that is invested in your success. Contact us to learn more about the potential benefits of a custodial relationship with Schwab.

Related resources

(1024-WN34)

1. Results for all firms with $250 million or more in AUM from the 2024 RIA Benchmarking Study from Charles Schwab.

About the 2024 RIA Benchmarking Study

Schwab designed the RIA Benchmarking Study to capture insights in the RIA industry based on survey responses from individual firms. The 2024 study provides information on topics such as asset and revenue growth, sources of new clients, products and pricing, staffing, compensation, marketing, technology, and financial performance. Since the inception of the study in 2006, more than 4,800 firms have participated, with many repeat participants. Fielded from January to March 2024, the study contains self-reported data from 1,304 firms that custody their assets with Schwab and represents $2 trillion in assets under management, making this the leading study in the RIA industry. Schwab did not independently verify or validate the self-reported information. Participant firms represent various sizes and business models. They are categorized into peer groups by AUM size. The study is part of Schwab Business Consulting and Education, a practice management offering for RIAs. Grounded in the best practices of leading independent advisory firms, Business Consulting and Education provides insight, guidance, tools, and resources to help RIAs strategically manage and grow their firms.

Past performance is not an indicator of future results.

For general informational and educational purposes only.

Read more about Schwab's privacy policy.

The above mentioned firms and their employees are not affiliated with or employees of Schwab unless otherwise noted. Mention should not be construed as a recommendation, endorsement of, or sponsorship by Schwab. The views expressed are those of the third party and are provided for information purposes only. Experiences expressed are no guarantee of future performance or success and may not be representative of you or your experience.

Schwab does not provide investment planning, legal, regulatory, tax, or compliance advice. Consult professionals in these fields to address your specific circumstances.

Third party trademarks are the property of their respective owners and used with permission. Third party firms and their employees are not affiliated with or an employee of Schwab.

Schwab Advisor Services™ provides custody, trading, and the support services of Charles Schwab & Co., Inc. ("Schwab"), member SIPC, to independent investment advisors and Charles Schwab Investment Management, Inc. ("CSIM"). Independent investment advisors are not owned by, affiliated with, or supervised by Schwab.

© 2024 Charles Schwab & Co., Inc. ("Schwab") All rights reserved. Member SIPC.