Wealthtender is a trusted, independent financial directory and educational resource governed by our strict Editorial Policy, Integrity Standards, and Terms of Use. While we receive compensation from featured professionals (a natural conflict of interest), we always operate with integrity and transparency to earn your trust. Wealthtender is not a client of these providers.
Financial services firms have become increasingly attractive targets for cybercriminals with data breaches, ransomware, and other cyber-enabled fraud costing the industry billions of dollars. Protecting your firm and client data is not just an IT problem but also a business continuity, regulatory, and reputational risk. A full awareness of the nature and extent of cybersecurity threats and the need to execute a proactive, firm-wide strategy is essential in defending against the ever-evolving cyber threat landscape.
To support their asset management clients, Ultimus Fund Solutions hosted a webinar series that tackled the latest cybersecurity challenges confronting the financial sector – “The New Cyber Threats Targeting Financial Firms” and “Cyber Hygiene: Daily Habits that Prevent Breaches”, which I helped facilitate.
Through these webinars, Ultimus brought together a panel of cybersecurity experts: Shawn Waldman, CEO of Secure Cyber; Ron Sharon, Chief Information Security Officer, PTMA Financial Solutions; and Melvin Van Cleave, SVP of Technology at Ultimus Fund Solutions. The sessions were packed with practical advice for investment professionals and back-office staff that requires simple, repeatable practices in everyday routines and the concept of “cyber hygiene”. This article will recap the essential insights and actionable steps you can take to strengthen your cybersecurity defenses.
The Business Case for Strong Cyber Hygiene
The numbers speak for themselves as to why developing a firm-wide cyber defense strategy and practicing cyber hygiene should be given the highest strategic importance for every firm. Facts referenced from Verizon Data Breach Investigations Report (Verizon 2025 DBIR) and the FBI’s Internet Crime Complaint Center (IC3) :
- Cybercrime costs exceeded $16 billion globally in 2024. (IC3)
- $13.7 billion in losses were reported from cyber-enabled fraud in 2024. (IC3)
- Third-party breaches have doubled between 2024 and 2025. (IC3)
- Ransomware involved in 44% of data breaches. (Verizon 2025 DBIR)
- Average breach cost in the US: $10.2 million. (IBM CDBR 2025)
As panelists pointed out, the current average breach cost in the US is $10.2 million. This figure does not even account for the damage to a firm’s reputation, continuity, or the regulatory headaches that follow. This all makes proactive investment in cyber controls far less expensive than remediation.
Sean Waldman, CEO of Secure Cyber, put it plainly: the biggest business case for strong cyber hygiene is “to stay off the radar and avoid looking bad to clients. In an industry built on trust, a security incident can be an existential threat.”
How Cyber Threats Are Evolving
Attackers have evolved to use advanced methods such as SIM swapping to bypass multi-factor authentication (MFA) delivered via SMS. Authenticator apps are recommended over SMS for MFA. The rise of AI-driven threats (e.g., deepfakes, voice mimicking) also complicates detection and increases the need for user training.
Breaches increasingly occur through compromised third-party vendors. Attackers may manipulate invoices or communications to redirect payments or gain access to sensitive data. These supply chain and third-party risks have been rising to the point that regulatory bodies, like the SEC, are increasingly focusing on third-party risk management.
An important point made was that cyber attackers target organizations of all sizes, including firms with as few as two employees. Smaller firms are often more vulnerable due to limited resources and less robust defenses. Smaller financial firms assume a false confidence that they are too small for any attacker to care about them, assuming cyber criminals are only targeting larger, high-revenue firms.
Human Error: Strengthening the Weakest Link
According to the Verizon 2025 Data Breach Investigations Report, a staggering 68% of breaches involve a human element. This means that a simple mistake, like clicking a bad link, can have devastating consequences. Social engineering remains the most prevalent threat, including phishing emails and fraudulent requests that trick employees into transferring funds or revealing sensitive information. This makes security a firm-wide shared responsibility.
Recommendations Offered:
Layered Security Approach – Move beyond basic firewalls; implement multi-layered defenses including endpoint detection and response (EDR), email filtering, and continuous monitoring. Regularly update and patch all systems, including firewalls, servers, and IoT devices.
User Training and Awareness – Invest in ongoing user training to recognize phishing, social engineering, and emerging threats like deepfakes. Promote a culture of zero trust: always verify, never assume, especially for unsolicited communications.
Multi-Factor Authentication (MFA) – Use authenticator apps rather than SMS for MFA to mitigate SIM swapping risks. Enforce MFA across all accounts, both business and personal. This creates a critical layer of security by requiring a second verification step for all internet accounts.
Password Management – Adopt password managers instead of browser-based ones to create and store strong, unique passwords and prevent reuse and weak passwords. Recommended solutions include Keeper, 1Password, and Roboform.
Third-Party and Vendor Due Diligence – Conduct thorough vetting and ongoing monitoring of third-party vendors. Use tools like Security Scorecard to assess external-facing assets.
Incident Reporting and Compliance – Stay informed about regulatory requirements (e.g., SEC, CISA laws) and ensure mandatory incident reporting where applicable.
Secure Communication and Data Sharing – Use encrypted email gateways and secure portals (e.g., Sharefile) for transmitting sensitive information.
Personal Cyber Hygiene – Encourage employees to apply cyber hygiene practices at home, as remote work blurs the line between personal and business risk.
Master Your Inbox with the “Hover Test” – Before clicking links, hover over them to check the destination URL. If suspicious, do not click.
Endpoint Protection for Remote Work – Implement Endpoint Detection and Response (EDR) solutions and encrypt devices, especially for remote employees.
Stay Ahead with Threat Intelligence – Utilize free resources like the Known Exploited Vulnerability (KEV) Catalog (maintained by the federal government for tracking critical vulnerabilities), Security Scorecard, and reputable news sources (KrebsOnSecurity.com, or BleepingComputer.com) to stay informed about evolving threats.
Bottomline Cybersecurity Priorities
Both webinars emphasized that cybersecurity is not just a technical issue, but a business necessity. The most effective defense strategy combines technology, training, and vigilance across both organizational and personal domains. The cyber threat landscape is evolving rapidly, and organizations must adapt by fostering a culture of security, exercising daily cyber hygiene, investing in layered defenses, and staying informed about the latest risks and solutions. Building a secure digital environment is an ongoing journey.
This article was originally published here and is republished on Wealthtender with permission.
About the Author
Bill Hortz
Founder Institute for Innovation Development
Wealthtender is a trusted, independent financial directory and educational resource governed by our strict Editorial Policy, Integrity Standards, and Terms of Use. While we receive compensation from featured professionals (a natural conflict of interest), we always operate with integrity and transparency to earn your trust. Wealthtender is not a client of these providers.