The odds of a person eventually suffering a cyberattack are "pretty much 100% at this point," according to Bill Slattery, a former FBI special agent in the cyber division who now investigates cybercrime for Facebook.
Slattery spoke on an information security panel at the eMoney Advisor Summit Sept. 22, along with Michael Rappe of TD Ameritrade's Fraud Group and Bill French from the Fidelity Customer Protection and Financial Intelligence Group.
Among the biggest cyber risks financial firms face are email communications with clients that aren't actually from clients, Rappe said.
Recommended For You
"The days of [making] financial transfers out of client accounts by email just need to end," he said.
Fraudulent requests used to be easy to spot, but hackers have learned how to do "like title" requests, or ask for ACH transfers instead of wires, Rappe warned.
Attackers are going after email for good reason, French said: Those accounts have "a tremendous amount of information" regarding finances, as well as personal information like electronic documents and communications with friends and family that allow hackers to create social engineering hacks.
Even a birthday greeting can be useful to a hacker, Slattery added, because that information is frequently used to verify accounts.
"People often don't realize there are lots and lots of little pieces of information about each and every one of us out there on the internet that can be put together like a puzzle that can be used to exploit you," he said. "Simple things that look harmless by themselves, when put together en masse can be very harmful."
An attractive enough target – like a HNW client – will keep hackers' attention until they get what they want, Slattery said.
Rappe recommended using very granular access controls to give employees access to only the information they need to do their jobs.
He urged firms to develop an incident response plan and to test it at least annually, but ideally semi-annually. It should include guidance on individuals' roles and responsibilities, a log book of actions taken, a step-by-step action guide based on what kind of attack it is, and a communication plan to implement with clients.
Slattery added that firms should identify outside providers who need to be contacted in the event of an attack and the role they'll play. Law enforcement, for example, might investigate and arrest a hacker, but they won't be involved in the firm's response.
Rappe stressed employee education needs to be consistent and regular.
Third- and even fourth-party vendor management is important because, as Rappe said, the result of a hack is the same regardless of where it happens: Loss of reputation and financial risk.
Originally published in ThinkAdvisor. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
