Cybersecurity for IFAs and Wealth Managers: A Practical Guide for Small Teams

What the FCA Expects from an IFA or Small Wealth Manager

The FCA applies a proportionality standard but does not exempt small firms. The baseline that any FCA supervisor expects to see at an IFA or small wealth manager:

• A written information security policy — a simple document, approved by the principal, reviewed annually
• MFA on all email accounts, client portals, and any cloud applications — this is non-negotiable and FCA supervisors will check
• Staff training — documented, dated, at induction and annually. Does not need to be expensive; needs to be done and evidenced
• A basic incident response plan — what to do, who to call, who to notify if there is a cyber incident
• Backups — tested, offsite, not stored only on the device that might be encrypted by ransomware
• Third-party due diligence — a record of the security assessment conducted when selecting your portfolio management platform, financial planning tool, and CRM
• A designated Senior Manager with documented accountability for cybersecurity — under SMCR, this responsibility must be explicitly allocated

The Three Threats Most Likely to Hit Your Firm

For an IFA or wealth manager, the realistic threat landscape is narrower than for a large bank — but the consequences of an incident are proportionally larger relative to firm size:

• Phishing and business email compromise: The most common attack. An adviser's email account is compromised; client payment instructions are intercepted and redirected. One incident can cost a client their life savings and cost the firm its regulatory authorisation
• Ransomware via phishing or unpatched software: Systems encrypted, client records inaccessible. For a small firm without robust backups, recovery is measured in weeks and costs in tens of thousands
• Data theft by departing staff: Client lists, financial plans, and contact data downloaded before leaving. In a small firm where one adviser holds all client relationships, this is an existential threat

The Practical Stack for an IFA or Wealth Manager

The right technology stack for a firm of 1–20 people, prioritised by regulatory and risk impact:

• Coro: Email security, endpoint protection, MFA management, and user behaviour monitoring — all from one platform. Specifically designed for small teams without in-house IT. Deploys in hours; managed centrally
• Cyber Essentials Plus: Certification that satisfies insurer requirements and demonstrates FCA baseline compliance. Target this in Month 1 alongside Coro deployment
• Hadrian (optional for smaller firms): Attack surface discovery — particularly valuable if the firm has a client portal or any externally accessible web application
• Collective IP: Managed security monitoring for firms that need expert oversight without an in-house team. Particularly valuable at firms where the principal cannot be expected to monitor security alerts personally

SMCR Accountability: What the Principal Must Document

Under SMCR, the firm's principal (or designated Senior Manager for cybersecurity) must be able to demonstrate they took reasonable steps to manage cyber risk. Reasonable steps at IFA scale means: evidence you reviewed security reports (even if from Coro's monthly summary); evidence you allocated responsibility and it was acted on; evidence you approved the firm's security policy; and evidence you were informed about any security incidents and authorised the response. None of this requires a CISO. It requires documentation of decisions that responsible leaders should be making anyway.

Frequently Asked Questions