Cybersecurity: The New Arms Race of Wealth Management

Your registered investment advisory firm was hacked last night, and now you’re sitting in an all-hands-on-deck meeting. The CEO is calm. Your crackerjack IT team identified the breach immediately, and technicians are working with custodians to limit the damage and understand exactly what happened.

The good news: No money is missing from client accounts. The bad news: Clients’ names, Social Security numbers, birthdays, and addresses were all taken, as were other details yet to be determined. Your CEO, a true fiduciary, insists your firm has an obligation to notify clients about the hack.

The real question is what to tell them. The statutory requirements are confusing. The impact of the breach may take months to understand as techies try to identify how the hackers breached your perimeter and exactly what they took.

And in the immediate aftermath of an attack, only one thing is clear: If you tell clients “We’ll pay for credit monitoring for 12 months,” then you don’t understand the problem.