In this, the fourth and final article in his operational resilience series for IFA Magazine, Patrick Murphy shares practical examples of incidents that could realistically affect an advice business as he explores the cyber risk scenarios that firms should be preparing for now.
From email compromise to platform outages and ransomware, the risks facing advisers are becoming increasingly operational and much more difficult to ignore.
For many advice firms, cyber risk still feels like something that happens elsewhere, more of an issue for large wealth managers with national operations, complex infrastructure and thousands of employees.
Throughout this series for IFA Magazine, Patrick has explored how operational resilience is becoming an increasing priority for advice businesses, from governance and supplier risk to the practical realities of disruption. Yet one area still often feels distant for many firms: cyber risk.
Unfortunately, the assumption that cyber incidents are someone else’s problem is becoming increasingly difficult to justify.
The reality is that many of the cyber and operational incidents now affecting financial services firms are not sophisticated attacks carried out by elite criminal organisations. In many cases, they stem from ordinary operational weaknesses: supplier dependency, human error and growing exposure to modern technology risks.
For advice firms, the consequences can be significant. A compromised email account can interrupt client communication and expose clients to fraud. A platform outage may leave advisers unable to access records or process transactions. A ransomware incident could halt business operations entirely for days.
The issue is no longer theoretical. It is operational.
This shift explains why cyber risk is increasingly being viewed through the wider lens of operational resilience across financial services.
The Financial Conduct Authority has placed growing emphasis on firms understanding the risks that could disrupt important business services and the potential client harm that may follow. Increasingly, regulators are less concerned with whether firms simply have security systems in place and more focused on whether leadership teams genuinely understand how their business would function during disruption, particularly in the context of Consumer Duty obligations.
The FCA’s operational resilience requirements, which came fully into force in March 2025, place responsibility for documenting and testing the impact of cyber disruption firmly with firm leadership, rather than solely the IT function.
That is where many firms remain exposed.
The quiet threat of email compromise
One of the most common cyber scenarios affecting advice firms today begins surprisingly quietly.
A member of staff clicks on a convincing phishing email. Login credentials are captured. An attacker gains access to the firm’s email environment. At first, nothing appears unusual.
Then the consequences begin to emerge.
Client conversations may be monitored, communications intercepted and fraudulent payment instructions inserted into otherwise legitimate email chains. Because these messages originate from trusted accounts, clients often have little reason to question them.
What initially appears to be a simple email issue can escalate quickly into something far more serious. Firms suddenly face questions around client harm, reputational damage, communication failures and potential regulatory reporting obligations.
The hidden risk of supplier dependency
Another growing vulnerability lies in firms’ increasing reliance on third-party technology providers.
Today, most advice businesses depend heavily on external systems to deliver their client proposition. Platforms, cloud-based CRMs, outsourced IT support, document management systems and communication providers all sit beneath the surface of day-to-day operations.
Under normal circumstances, these systems work seamlessly.
But resilience is not measured during normality. It is measured during disruption.
If a core platform experiences a major outage, could advisers still access client information? Could urgent withdrawals be processed? Would vulnerable clients still receive support? If the CRM system became unavailable for several days, how much of the business could continue operating realistically?
Many firms have never fully tested these scenarios because there is an assumption that resilience sits with the provider.
But operational dependency remains the responsibility of the regulated firm, regardless of where the infrastructure sits.
This remains one of the biggest misunderstandings within the advice sector. Outsourcing technology does not outsource accountability.
Why ransomware is no longer just a corporate problem
Ransomware attacks are no longer confined to major corporations. Smaller firms are increasingly viewed as attractive targets because they often operate with fewer internal controls, lighter governance structures and less formal oversight. A single infected attachment or compromised login can spread rapidly across systems, leaving firms locked out of records, communications and operational infrastructure.
At that point, what appears to be a technical problem quickly becomes a business continuity issue.
Advice firms rely heavily on trust, responsiveness and continuity. Even relatively short periods of operational disruption can lead to significant client servicing problems and lasting reputational damage.
The resilience challenge of hybrid working
There is also a wider challenge emerging around remote and hybrid working.
Flexible working has created substantial operational benefits for many firms, but it has also expanded the potential attack surface considerably. Home networks, personal devices, unsecured Wi-Fi connections and fragmented communication channels can all increase cyber exposure.
Many businesses adopted remote working rapidly during the pandemic. Far fewer revisited the resilience implications afterwards.
As a result, some firms may now be operating with significantly greater levels of operational vulnerability than leadership teams fully recognise.
Why cyber resilience is ultimately a governance issue
Perhaps the most important point is that many cyber incidents do not begin with technology at all.
They begin with ordinary human behaviour, such as a rushed decision, a convincing email, a fraudulent phone call. All can be a missed warning sign.
This is why cyber resilience can no longer sit solely within the IT department. It is fundamentally a governance issue.
Leadership teams need visibility over where operational vulnerabilities exist, how dependent the business has become on third parties, and what would realistically happen if disruption occurred tomorrow morning.
Because that is the question many firms still struggle to answer. If core systems failed tomorrow, what would happen during the first four hours?
Who contacts clients? Who makes operational decisions? How would advisers continue servicing vulnerable clients? Which services continue — and which stop?
Many firms have never properly rehearsed these scenarios. And that is where the real operational risk often sits.
Operational resilience is no longer simply about preventing attacks. It is about ensuring the business can continue functioning when disruption inevitably occurs.
Because when systems fail, suppliers go offline or communications become compromised, it is not the external technology provider that ultimately answers to clients, regulators or insurers.
It is the firm. And ultimately, its directors.
If firms want to better understand their operational resilience exposure, the free “Ask Patrick – Cyber Clinic for IFAs” provides practical guidance on cyber governance, supplier dependency and operational resilience for FCA-regulated advice firms: https://goiatechnologies.com/cyber-clinic/
About Patrick Murphy
Patrick Murphy CFP is co-founder of GOIA Technologies, which provides independent cyber governance advisory services to FCA-regulated advice firms. GOIA Technologies is not FCA-authorised and its services do not constitute regulated financial advice.
