Kyanite Blue
Sector Guides

Cybersecurity for IFAs: Small Firm Challenges, FCA PROD Rules, and Pension Transfer Fraud

Independent financial advisers occupy a difficult position in the cybersecurity landscape: they are subject to the same FCA regulatory obligations as larger wealth managers and banks — SYSC 13, PS21/3 operational resilience, SMCR accountability — but typically have no dedicated IT resource, no security team, and a fraction of the budget available to larger regulated firms. Meanwhile, they hold client data that includes pension values, investment portfolios, and financial circumstances; they conduct pension transfer business that is a prime target for fraud; and they maintain relationships with clients who represent premium social engineering targets. FCA thematic reviews of the advice sector have consistently found widespread cybersecurity gaps.

FCA thematic reviews have found that the majority of small IFA firms lack documented cybersecurity policies, tested incident response plans, and adequate MFA — despite SMCR holding principals personally accountable.

What FCA Rules Apply to IFAs — Regardless of Firm Size

IFAs are FCA-regulated firms subject to the full scope of FCA systems and controls requirements:

  • SYSC 13.7: Firms must take reasonable care to establish and maintain effective systems and controls for countering financial crime — which the FCA interprets to include cyber-enabled fraud
  • SYSC 6.1.1: Systems and controls must be appropriate to the nature, scale, and complexity of the business — for an IFA, this means controls proportionate to the data held and services provided, not zero controls
  • PS21/3 Operational Resilience: IFAs must identify important business services (typically: client advice delivery and communication) and set impact tolerances — even small firms are not exempt
  • SMCR: The firm's principal or designated Senior Manager is personally accountable for the adequacy of cybersecurity controls — personal accountability that survives any fine on the firm
  • UK GDPR: Client data — financial circumstances, family details, health information relevant to protection advice — requires appropriate technical and organisational security measures

FCA PROD Rules and Client Data Protection

The FCA's Product and Distribution (PROD) sourcebook requires IFAs to maintain records of their target market assessments and distribution arrangements. From a cybersecurity perspective, PROD creates additional data protection obligations:

  • Target market records: PROD requires documented target market criteria and client suitability assessments — these records contain sensitive financial and personal information that must be protected
  • Suitability reports: Suitability reports are legally significant documents; their integrity and availability must be maintained — ransomware that encrypts them creates both regulatory and legal exposure
  • Product governance oversight: IFAs must maintain records of their product governance obligations — data that must be protected against unauthorised access and preserved against loss
  • Retention requirements: FCA retention requirements for advice records — typically 5 years, or indefinitely for pension business — require secure long-term storage with appropriate access controls

Pension Transfer Fraud: The Highest-Stakes Attack Vector

Defined benefit pension transfer business carries the highest individual transaction values in the advice sector — and is consequently a prime target for fraud:

  • Pension liberation fraud: Scammers target clients who have recently received pension transfer advice, impersonating the adviser to instruct fund movements or invest in fraudulent schemes
  • Email compromise enabling pension fraud: An adviser's compromised email account enables attackers to intercept pension transfer communications, impersonate the adviser to the client, or impersonate the client to the pension provider
  • Social engineering targeting retirees: IFA clients undertaking pension transfers are often approaching retirement — a demographic that social engineers disproportionately target
  • FCA FG22/5: FCA guidance on financial promotions for high-risk investments directly implicates cybersecurity — fraudulent use of an adviser's details or email to promote fraudulent schemes creates regulatory and reputational exposure
  • Verification procedures: Pension providers are increasingly requiring out-of-band verification of transfer instructions — IFAs must have verification procedures that work even if their email is compromised

The Practical Security Programme for a Small IFA

The realistic security programme for an IFA of 1–10 people, in implementation order:

  • Week 1: Enable MFA on all accounts — Microsoft 365/Google Workspace, back-office system, client portal. This single step addresses the most common attack vector
  • Month 1: Deploy Coro — email security, endpoint protection, and MFA management from one platform designed for small teams without IT support
  • Month 1: Achieve Cyber Essentials certification — demonstrates baseline compliance to FCA, insurers, and institutional clients. Kyanite Blue manages the certification process
  • Month 2: Document your information security policy — one to two pages approved by the principal; updated annually. This is the first document any FCA supervisor will request
  • Month 2: Write your incident response plan — who to call, what to do, who to notify. Kyanite Blue provides a template
  • Ongoing: Monthly Coro security reports reviewed and signed off by the SMCR-designated Senior Manager — documented evidence of oversight

Frequently Asked Questions

I am a sole-trader IFA — do I really need a formal cybersecurity programme?

Yes. The FCA's SMCR applies to sole-trader IFAs — you are both the firm and the Senior Manager personally accountable for cybersecurity controls. A sole-trader IFA holds client financial data, conducts business by email, and may handle pension transfers. You need: MFA on email, endpoint protection on your laptop, a basic written security policy, and a record of what you do when something goes wrong. This is achievable in a day, maintainable in an hour a month, and costs less than your professional indemnity insurance.

What is the minimum the FCA would expect from a 3-person IFA firm?

Based on FCA thematic review findings and PS21/3 guidance, the minimum expectation for a 3-person IFA: documented information security policy (reviewed annually); MFA on all email, back-office, and client portal accounts; annual staff training (documented); a written incident response plan; offsite backups of client records tested at least annually; and a designated Senior Manager with documented accountability for cybersecurity. Cyber Essentials certification is strongly recommended — it demonstrates all of the above to FCA, insurers, and clients.

If a client falls victim to pension fraud after impersonating our firm, are we liable?

Your liability depends on whether the fraudsters were able to impersonate your firm due to inadequate controls — for example, your email was not protected by DMARC, allowing attackers to send emails appearing to come from your domain; or your email account was compromised due to absent MFA. If you had taken reasonable steps — DMARC, MFA, documented verification procedures — you are in a stronger position to demonstrate you are a victim rather than a contributor. FCA expects you to have controls that make impersonation harder; if you do not, your regulatory exposure increases.

Build a proportionate cybersecurity programme for your IFA firm

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides