Cyber risk is no longer an IT issue to be delegated and forgotten by advice firms. It is a governance and leadership challenge that directly affects client trust, business resilience and regulatory accountability — and advisers who assume “it won’t happen to us” are taking the biggest risk of all.
In this final article in his series on operational resilience for IFA Magazine, Patrick Murphy CFP™, Chartered Financial Planner, FPFS, Chartered FCSI, not only highlights a genuine problem advisers face but also a solution: a cyber clinic which IFA Magazine readers can access with no charge and no obligation.
In February 2023, one of the UK’s largest financial planning businesses, Succession Wealth, disclosed that it had suffered a cyber attack.
The firm responded quickly. Investigations were launched, specialist advisers were engaged, the authorities were informed, and clients were reassured that they would be protected from any financial losses arising from the incident. At the time, Succession Wealth was responsible for advising around 20,000 clients and overseeing approximately £10 billion of assets under advice.
The story made headlines across the profession. For a few days, advisers talked about little else. Then, as often happens, attention moved on.
But perhaps we focused on the wrong question. The question is not whether Succession Wealth was attacked. The question is why so many advisers assumed it could never happen to them.
Over the last fifty years, I have watched our profession adapt to enormous change. We have navigated polarisation, pensions simplification, RDR, pension freedoms, Consumer Duty and the rapid rise of technology. Each time, the firms that prospered were not necessarily the largest or best funded. They were the firms that recognised a change in the environment and adapted before everybody else.
Cyber risk is one of those changes. The reason this subject matters to me is not because I work with cyber specialists today. It is because, during my career, I have seen first-hand how devastating the consequences can be when things go wrong.
Many years ago, one of my clients became the victim of a sophisticated fraud. Like many victims, they never believed it could happen to them. They were intelligent, experienced and financially successful. Yet a carefully planned attack exploited trust, created urgency and ultimately resulted in significant financial loss.
What struck me most was not the financial impact. It was the emotional impact — the sense of violation, the loss of confidence, and the lingering question of how something so unexpected could have happened.
That experience taught me an important lesson: cyber attacks are rarely technology problems. They are people problems. They exploit behaviour, trust and human psychology — the same factors financial planners deal with every day.
Yet many advice firms still view cyber security through an outdated lens. It is seen as a technical problem, an IT issue, something delegated to an outsourced provider, a necessary expense rather than a strategic risk.
The difficulty with that mindset is that cyber criminals do not see the world in the same way. They do not target servers. They target businesses. They target people. They target trust.
And trust is the single most valuable asset any advice firm possesses. As financial planners, we spend our entire careers helping clients prepare for events that may never happen. In other words, we are professional risk managers.
Yet when it comes to cyber risk, many firms still rely on hope. But hope is not a strategy.
One of the most common responses I hear from advisers is: “Our IT company deals with that.” Perhaps they do. Perhaps they do it exceptionally well. But outsourcing a function does not outsource accountability.
Many years ago, former US Secretary of Defense Donald Rumsfeld famously observed: “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.”
While the quote was made in a very different context, I think that it captures perfectly the challenge many advice firms face today.
Most advice firms understand the ‘known knowns’. Many also recognise the ‘known unknowns’. The greatest danger, however, lies within the ‘unknown unknowns’.
A colleague of mine ran a small employee benefits business. One day, criminals gained access to his systems. They deployed ransomware and effectively locked him out of his own business. The message was brutally simple: pay the ransom or lose access to your data.
What followed was weeks of disruption, uncertainty and expense. Systems had to be investigated and restored. Clients had to be reassured. Normal business activity slowed while management focused on recovery. The eventual cost was substantial and entirely unbudgeted.
Like many firms, he assumed criminals would be more interested in larger organisations. The attackers, however, saw something different. They saw a business that relied on information, trust and operational continuity. In other words, they saw value.
When Succession Wealth suffered a cyber incident, it was not simply a technology event. It became a governance event, a leadership event, and a business resilience event.
That is why I believe cyber security is now less of an IT issue and more of a governance issue for advice firms.
Why we built it
After more than 50 years of personal experience working in financial services, as a Financial Planner myself I understand how adviser firms operate.
I understand Consumer Duty. I understand governance. I understand operational resilience. I understand what keeps principals, directors and compliance officers awake at night.
At the same time, through my work with GOIA Technologies, the picture we are seeing across the sector concerns me. Many firms have vulnerabilities they simply do not know exist. Many assume their outsourced IT provider is managing everything. Many have never had an independent review of their cyber risk exposure.
That is not a criticism. Cyber security has become highly technical, fast-moving and difficult for busy advice firms to keep up with.
The problem is that cyber criminals only need to be right once. Advice firms need to be right every day.
A different approach
The Cyber Clinic is deliberately simple. There is no obligation. There is no hard sell. There is no technical jargon.
If you have a cyber security concern, a governance question, or simply want a second opinion, you can ask.
Whether the question relates to cyber insurance, outsourced IT providers, board responsibilities, operational resilience, phishing attacks, incident response or FCA expectations, the objective is simple: to help advice firms become safer, stronger and more resilient.
If I do not know the answer myself, I can draw upon the expertise of our cyber specialists at GOIA Technologies.
A simple self-assessment
Before reading on any further, I’d suggest that you ask yourself the following five questions:
Does your board regularly discuss cyber risk?
Have your cyber controls been independently assessed within the last 12 months?
Do you know exactly what your IT provider is responsible for and what remains your responsibility?
Have you tested your incident response process?
Could your business continue operating if a major cyber incident occurred tomorrow?
If you cannot confidently answer yes to all five, there may be areas worth reviewing.
A free resource for IFA Magazine readers
To support readers of IFA Magazine, we have created a dedicated Cyber Clinic.
You can submit questions, request guidance or simply ask for an independent view. There is no charge and no obligation.
Sometimes a simple conversation can identify risks that might otherwise go unnoticed.
Ask Patrick – Cyber Clinic for IFAs: https://goiatechnologies.com/ask-patrick.html
Helping adviser firms understand cyber risk before cyber risk becomes a problem.
“Patrick Murphy CFP is co-founder of GOIA Technologies, which provides independent cyber governance advisory to FCA-regulated advice firms. GOIA Technologies is not FCA-authorised and its services do not constitute regulated financial advice.”
Final thoughts
Throughout this series, we have explored how cyber risk is becoming a governance issue for adviser firms.
The key message is straightforward: cyber security is not about technology. It is about protecting your clients, your reputation, your business and your future.
As advisers, we spend our careers helping clients prepare for risks that may never happen. Cyber security deserves exactly the same mindset.
If you have a question, ask it. If you have a concern, raise it. If you would simply like an independent view, the Cyber Clinic is here to help.
Because when it comes to cyber risk, the most expensive question is often the one that never gets asked.
