Sign In

Skip Navigation LinksOneFPA > About > Press Room > Financial Advisers Acknowledge Cybersecurity Threats, but Many Lack Understanding to Neutralize Threats Facing the Industry

​New Research from the Financial Planning Association, TD Ameritrade Institutional Highlights Need for Cybersecurity Education and Action Among Adviser Community


BALTIMORE, MD (September 16, 2016)— An overwhelming majority of financial advisers (81 percent) identify cybersecurity as a high priority, and yet many lack a clear understanding of the risks or a path forward to neutralize this critical issue, according to new data from the Financial Planning Association's FPA Research and Practice Institute™, sponsored by TD Ameritrade Institutional.


Despite the fact that seven in 10 advisers say their clients are at least somewhat aware of the risks associated with data security, the Is Your Data Safe? The 2016 Financial Adviser Cybersecurity Assessment ( reveals that less than half (44 percent) of advisers completely agree that they fully understand the issues and risks associated with cybersecurity. Furthermore, only 29 percent of advisers completely agree with the statement that they are "fully prepared to manage and mitigate the risks associated with cybersecurity."


"Cybersecurity is an issue that advisory firms are grappling with regardless of their size, and advisers have no margin for error when it comes to properly protecting their clients' personal information," said Dan Skiles, president of Shareholders Service Group and a member of the Financial Planning Association Board of Directors. "It's clear from the research that advisers are aware of the risk associated with cybersecurity threats, but they're not fully confident in their ability to handle the challenges presented or even on how their firms should navigate a path forward."


The research shows that advisers are also less confident in their overall teams' readiness to handle the cybersecurity issues facing the industry. Only 36 percent completely agree with the statement that their teams "fully understand the issues and risks," while 26 percent completely agree their teams feel confident in the ability to manage and mitigate cybersecurity risks.


"The reality is cyber fraud is pervasive and advisers cannot eliminate the threat, but they can reduce their risk. The more that advisers make themselves familiar with safeguarding systems, adopt best practices and create a detailed security plan, the more they can protect their firms and clients," said Bryan Baas, TD Ameritrade Institutional's director of risk oversight and control.

The Financial Planning Association® (FPA®)​, with the support of TD Ameritrade Institutional, will provide advisers with much-needed, actionable ideas they can implement to address cybersecurity threats through a series of whitepapers that will look at how advisers communicate with clients regarding cybersecurity, how they train their teams on issues related to cybersecurity, and what tools and technology advisers use to protect their businesses.


The research explores how advisers and their firms are viewing the cybersecurity threat to the industry and how advisers are developing and implementing policies and procedures to guard against cybersecurity incidents. Additional key findings from the survey are below.


Policies and Procedures Currently in Place


The research found firms are more likely to have documented policies and procedures in place around governance and risk assessment (57 percent of those surveyed), access rights and controls (59 percent) and data loss prevention (58 percent) than policies and procedures governing training (51 percent), vendor management, and incident response (43 percent for each).


Additionally, of those advisers who have already implemented policies and procedures to prevent cybersecurity attacks, access rights and controls (9 percent of respondents) and incident response (11 percent) were the two areas that were seen as the least challenging elements of creating and implementing a cybersecurity plan.


Only one-quarter (26 percent) of advisers completely agree they're aware of all requirements from the Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) guidelines. Furthermore, just 17 percent of respondents completely agree their teams are aware of all requirements, and just 18 percent are very confident they would pass an OCIE cybersecurity examination if one were administered today.


Half (49 percent) of advisers say they spent less than $10,000 over the past 12 months on external assistance to define and implement policies and procedures, and another 23 percent didn't invest any external spend over the past year. Furthermore, two-thirds of advisers (65 percent) spent less than $5,000 in the past year or spent nothing at all on internal resources to define and implement cybersecurity policies and procedures.


"While advisers and their firms rightly see cybersecurity as a major threat to the industry, the response efforts are equivalent to a sprinter who just popped out of the blocks—they know what the end-goal is and where they're going, but they're just getting started and may encounter a number of hurdles along the way," said FPA's Skiles.


Filling the Gaps on Cybersecurity in the Future


The research showed that certain areas of focus appear to be more pressing among those advisers whose firms do not currently have policies and procedures in place. Developing and implementing policies and procedures around data loss prevention was clearly an area of importance for advisers, as 82 percent say this is something they're actively working on or plan to address. Governance and risk assessment, and incident response were also areas of importance for advisers, with 76 percent and 75 percent, respectively, of advisers saying their actively working on or plan to address gaps in policies and procedures related to these areas.


Conversely, policies and procedures focused on vendor management appear to fall much further down the list of priorities for advisers. Forty percent say there are no plans to design policies and procedures around vendor management, while nearly just as many advisers (39 percent) don't plan to address gaps in access rights and controls. Policies and procedures around employee training fell nearly the middle, with 30 percent of advisers not planning to address gaps while another 20 percent are actively developing the lacking policies and procedures.


"We can't stress enough that safeguarding your firm's cybersecurity could be the most important business decision you make," said TD Ameritrade's Baas. "Advisers should approach cybersecurity the same way they approach their client investment portfolios: you take time to understand client needs, you develop and implement a plan, and then you continually monitor, review and modify that plan based on changing priorities, environmental factors and preferences."


Survey Methodology


1,015 financial adviser respondents from across the country, including FPA members and non-members as well as TD Ameritrade Institutional client advisers, responded to an online survey conducted in June – July 2016 by Julie Littlechild of with the majority of respondents identifying themselves as RIAs. The study's overall margin of error is +/- 3.07 percent. Respondents included those who had overall responsibility for policies and procedures, those who had executional responsibility, and those who had both. In-depth questions relating to the specifics of what is being done were asked of the 55 percent of advisers who had a role in execution.


# # #


About the Financial Planning Association

The Financial Planning Association® (FPA®) is the principal professional organization for CERTIFIED FINANCIAL PLANNERTM (CFP®) professionals, educators, financial services professionals and students who seek advancement in a growing, dynamic profession. Through a collaborative effort to provide more than 24,000 members with One ConnectionTM to tools and resources for professional education, business success, advocacy and community, FPA is the indispensable force in the advancement of today's CFP® professional. Learn more about FPA at and follow on Twitter at


About TD Ameritrade Institutional

TD Ameritrade Institutional is a leading provider of comprehensive brokerage and custody services to more than 5,000 fee-based, independent registered investment advisors and their clients. Our advanced technology platform, coupled with personal support from our dedicated service teams, allows investment advisors to run their practices more efficiently and effectively while optimizing time with clients. TD Ameritrade Institutional is a division of TD Ameritrade, Inc., a brokerage subsidiary of TD Ameritrade Holding Corporation. (NASDAQ: AMTD)  Brokerage services provided by TD Ameritrade, Inc., member FINRA / SIPC​