Your Custodian May Fire You if You Lack a Cybersecurity Risk Protection Strategy!


By Michael Brice, Founder and President, BW Cyber

I read this article on Financial Advisor magazine recently about the potential for Custodians to fire their RIA clients, and it really struck a chord – it’s almost as if I could have written the article myself. If you’ve kept up with my recent blogs, you’ll most certainly be aware that the SEC has been very busy creating a set of sweeping new cybersecurity rules that will directly impact RIAs. You’ll also be aware that I am highly focused on the continued epidemic associated with wire fraud in the asset management industry. So, for those of you on a time crunch, the bottom line is the nexus between these two themes: there have been a few instances of custodians actually firing their regulated asset management clients because the managers suffered a loss due to wire fraud and didn’t have a cybersecurity program in place. As a result, the custodian didn’t want to be exposed to the potential legal risk around theft of the end client’s money.

As I’ve said many times, the risk-reward scenario for criminals to target the asset management industry is heavily skewed in favor of the criminals.  Add to this formula the game changing effect of ChatGPT and other AI tools that criminals can utilize to better target asset managers & their investors, and you have a perfect storm for liability (both legal and regulatory).

I, of course, continue to be fascinated with the SEC’s approach (accompanied by some missteps) to cybersecurity regulation, as well as to how registrants will respond to the new rules once the SEC begins enforcement. The SEC, no doubt, will move forward with sweeping changes in the near future, as I alluded to recently. Ultimately, from my perspective – cybersecurity hygiene and regulatory compliance traditionally tend to be addressed by registrants in one of the following three camps:

  • Registrants that do nothing; usually predicated by a, “let’s wait and see what others do before we do anything”,
  • Registrants that seek administrative compliance by performing as little as necessary to comply, and
  • Registrants that understand cybersecurity risk and seek to mitigate that risk with real-world programmatic protections.

Ultimately, how strictly the SEC enforces these new rules and how quickly registrants might respond to these new rules is anybody’s guess.  However, if the Custodian’s response to firing their clients is indicative of things to come, registrants might want to pay special attention to these new rules.  Like I said, I’m fascinated.  Stand by for more on this subject next month…