In this highly thought-provoking article, Patrick Murphy argues that cyber attacks are no longer simply an IT problem for advice firms but a core governance risk that firms’ leaders must actively oversee. Drawing on more than five decades in financial services, he explains why cyber resilience is rapidly becoming a regulatory, operational and consumer duty issue for IFAs, and what firms should be asking themselves now.
Picture this. It’s 8:00am on a Friday morning. You arrive at the office. Most of your team are working from home today. That has become the norm since Covid, but as the principal of the firm you still like to come in.
You switch on your laptop. Something is wrong.
- Your client database won’t open.
- The back-office system refuses to load.
- Emails have stopped working.
Then the message appears. Your systems have been locked. Payment is required to restore access.
It’s now 8:30am. You try to contact your IT provider, but their help desk does not open until 9:00am. When you eventually reach them, they explain they are investigating but cannot yet tell you when systems will be restored.
Meanwhile, the day begins to unravel.
Advisers cannot access client records.
Staff cannot process transactions.
The phones start ringing.
Then the inevitable call arrives — the difficult client. The one where something always seems to go wrong. He wants an urgent withdrawal from his pension. Unfortunately, you cannot access the system to process it. He is not impressed. And just like that, your firm has effectively stopped operating.
For many financial advice firms, a situation like this would bring the business to a halt. Cyber attacks are no longer rare events affecting only global corporations. Increasingly, they represent one of the most serious operational risks facing professional firms.
Yet many advisers still see cyber security as an IT issue. In reality, it has become something far more important. It is now a leadership and governance responsibility.
Advice firms hold vast quantities of highly sensitive client information: identity data, pension records, investment portfolios, bank details, and often copies of passports or driving licences. From a cyber criminal’s perspective, that information is extremely valuable.
Which is precisely why financial advice firms have become increasingly attractive targets.
Why I Became Interested in Cyber Risk
After more than five decades working in financial services, I have witnessed how profoundly the industry has changed.
Regulation has expanded.
Client expectations have increased.
Technology has become central to almost every part of the advice process.
At the same time, the systems supporting advice firms have become increasingly complex and interconnected.
Over the years I have seen the consequences of phishing attacks, compromised systems and operational disruption. I have also seen how regulatory responsibility continues to expand for advice firms.
That growing gap between technology risk and leadership oversight was one of the reasons Gerard Ouattara, an experienced cyber security specialist, and I decided to establish GOIA Technologies.
Our aim was simple. To create the first cyber security advisory firm focused exclusively on the needs of UK financial advisers.
A Wake-Up Call for the Profession
The advice sector has already experienced how serious cyber incidents can be.
In February 2023, Succession Wealth confirmed it had suffered a cyber attack and launched an investigation, notifying the relevant authorities. Citywire later reported that the incident resulted in £792,000 in cyber-related costs, including investigation, recovery and related expenses.
Large firms may be able to absorb shocks of that scale. For smaller advice businesses, however, the financial and operational consequences of a major cyber incident could be far more damaging. The key lesson is straightforward. Cyber attacks are no longer theoretical risks. They are already happening within our profession.
Why This Is Now a Governance Issue
Another major shift is the regulator’s increasing focus on operational resilience.
The Financial Conduct Authority expects firms to understand the risks that could disrupt their most important business services and to demonstrate how they would respond.
Cyber incidents are now widely recognised as one of the most significant threats to operational resilience.
Under the FCA framework, firms are expected to:
- identify their important business services
- understand technology dependencies
- assess potential disruption scenarios
- demonstrate the ability to recover from incidents
For many IFAs this creates a practical challenge. Most firms quite sensibly outsource their IT infrastructure to specialist providers. But outsourcing technology does not outsource responsibility.
Ultimately, accountability remains with the firm’s leadership.
Consumer Duty Raises the Stakes
Cyber resilience also intersects directly with the FCA’s Consumer Duty.
If a cyber incident leads to client data breaches, service disruption or financial harm, firms may be expected to demonstrate that they took reasonable steps to prevent those outcomes. Viewed through that lens, cyber resilience is not simply about protecting systems. It is about protecting client outcomes.
The Visibility Gap
When speaking with advisers across the UK, I frequently hear reassuring statements such as:
“We have an IT provider who looks after that.”
“We use Microsoft cloud systems.”
“We have antivirus installed.”
These are all sensible safeguards.
But they do not necessarily answer the key governance question which is:
Does the board truly understand the firm’s cyber risk exposure?
In many cases, the honest answer to this is no. Many firms have never had an independent view of:
- their cyber vulnerabilities
- their operational dependencies
- their resilience in the event of a serious attack
Cyber Risk Self-Check for IFAs
There are five simple questions every advice firm should be able to answer and they are as follows:
☐ Has your board or senior management formally reviewed cyber risk within the past 12 months?
☐ Do you know what would happen if your back-office system became unavailable tomorrow?
☐ Could your firm continue operating if systems were locked by ransomware?
☐ Do staff receive regular training on phishing and cyber threats?
☐ Has your firm ever had an independent cyber risk assessment rather than relying solely on its IT provider?
If the answer to any of these questions is “No” or “Not sure”, it may indicate that cyber risk has not yet received the governance attention it requires.
From IT Support to Governance Oversight
Managed IT providers play a vital role in maintaining the systems advice firms depend upon.
However, their focus is typically operational — maintaining infrastructure, updating software and resolving technical issues. They are not responsible for giving firm leaders an independent view of cyber exposure or regulatory resilience. That governance gap is where independent oversight becomes important.
GOIA Technologies works with regulated firms to help leadership teams gain a clear understanding of their cyber risk exposure and operational resilience.
One of the first steps many firms take is an Executive Cyber Risk & Resilience Review, which provides senior management with an independent assessment of:
- the firm’s cyber risk exposure
- operational resilience vulnerabilities
- governance oversight gaps
- practical steps to strengthen resilience
The goal is simple: to give firm leaders clarity about their cyber position and the actions needed to strengthen it.
The Direction of Travel
The direction of travel is clear. Cyber risk is becoming an integral part of governance, risk management and regulatory oversight across financial services.
For advice firms, addressing this proactively is not simply about protecting systems. It is about protecting clients, safeguarding reputations and ensuring the long-term resilience of the business.
Ask Patrick – Cyber Clinic for IFAs
Many advisers recognise the issue but are unsure where to begin.
To help address this, GOIA is developing the “Ask Patrick” Cyber Clinic, an AI-supported knowledge resource designed to help advisers understand cyber risk, FCA expectations and operational resilience issues affecting advice firms.
Firms seeking a clearer understanding of their own exposure can also request an Executive Cyber Risk & Resilience Review, which provides senior management with an independent assessment of their cyber resilience and governance readiness.
Board-ready outputs include:
- Independent cyber risk assessment
- Executive briefing session
- Prioritised risk register
- Written board-level summary
- Structured 90-day stabilisation roadmap
The focus is on delivering insight for decision-makers, not technical reports for IT specialists.
Cyber security is no longer simply an IT issue for financial advice firms. It has become a leadership responsibility.
Patrick Murphy is the Co-founder of GOIA Technologies. GOIA provides cyber risk clarity for UK Financial Advice firms and their boards.
![[UNS] celebrate](https://ifamagazine.com/wp-content/uploads/wordpress-popular-posts/801986-featured-300x200.webp)
