Website security is an urgent priority for asset managers. Cyberattacks on personal financial data cost managers more than $10 trillion this year, with no end in sight. This article provides practical steps to protect your firm and clients from emerging security threats.

Why Website Security is Essential

Clients want to know that their personal financial data is safe and that you take it seriously. They will not think kindly of you if you subject them to potential identity theft or asset loss.

Types of cyber attacks

Cybercriminals use several tactics to target and steal from financial services websites.

Phishing. Prime among them are phishing attacks, often powered by AI, which aim to trick employees and clients into sharing sensitive information.

Brute force attacks. A brute force attack is a method where cybercriminals try to break into websites and systems by systematically guessing logins, usernames, and more.

Credential stuffing. Another hacker tactic is credential stuffing, where the bad guys use stolen usernames and passwords from previous security breaches. Credential stuffing is often considered a subset of brute force attacks. Despite a success rate of historically less than one percent for cybercriminals, financial services firms lost approximately $3.4 billion to credential stuffing in 2020 alone.

Ransomware. The tactic of locking you and your clients out of your website, ransomware, has become common in the U.S. financial services sector. In 2024, 65 percent of financial services firms reported ransomware attacks. Only 46 percent of firms successfully stopped the cybercriminals from breaching their systems.

The median ransomware attacker has historically demanded, on average, nearly $2 million per attack. Many also threaten to leak personal client information or disrupt operations to pressure firms into a quick payout.

Preserve your reputation

A security breach can run roughshod on your brand’s reputation. Potential damaging consequences include:

• Loss of client confidence. Impacted customers may never work with you again.
• Lack of engagement from prospective clients
• Share price declines for public companies
• Substantial fines and legal action from regulators
• Negative news and opinions from the press and influencers.

Meet required privacy policy regulations

By law, financial services firms must inform clients what data they collect, how they use it, and how they keep it safe. You’ll need to ensure that visitors can easily find this information. Failing to articulate data-handling practices can lead to regulatory penalties.

Regulatory fines for cybersecurity attacks among advisors and asset managers have been substantial. For example, Morgan Stanley was fined $15 million by the SEC in 2024 for failing to protect client accounts. Smaller firms and individuals have paid between $10,000 and $1.75 million for cyber assaults.

Control Who Can Access Your Website

Not everyone in your company needs access to every part of your website. Best practices in limiting access are to:

Require strong passwords

Why not insist on passwords that are hard to guess? Set rules for password length and complexity to reduce the risk of cybercriminals guessing or stealing your clients’ credentials. Consider requiring regular password changes as well.

Use Two-Factor Authentication (2FA)

Two-factor authentication (2FA) requires users to provide two different types of identification to access an account or service. The two factors typically include a password and a verification code.

Some people complain about the hassle of having to enter a code sent to their phone or use a special token or app.

However, two layers of security make it much harder for hackers to gain access. For example, using two-factor authentication currently blocks nearly 100 percent of automated bot hacks.

Set up Role-Based Access Controls (RBAC)

RBAC might sound like a mouthful, but the idea is to give employees access only to what they need for their job. Restricting access prevents unauthorized users from viewing or changing personal information.

Automatically change site access

You’ll want to automatically update who gets to see what on your website when an employee is hired, promoted, or leaves. Consider identity management solutions from PingIdentity, StrongDM, and many others.

Find Potential Threats Early

Hackers will try to hide their tracks. Security breach activity may include repeated failed login attempts from locations you don’t recognize, spikes in the amount of data sent from your network, new user accounts you didn’t create, and website pages suddenly changing appearance or displaying content you did not approve.  

Monitor for vulnerabilities

Firms must constantly check for website vulnerabilities to protect against potential cyber threats. The process is known as threat intelligence.

Monitoring tools, such as Nagios, Site247, and Sucuri, check around the clock for unusual activity, watch website traffic, server logs, and authentication patterns. They also spot weaknesses in your site’s code, plugins, or security settings. These tools alert you if they detect suspicious activity.

Create an incident response plan

Know what you’ll do if a security problem occurs. The basics include communicating with clients and regulators, recovering lost data, and documenting what happened and when. Practice your plan with your team to ensure everyone knows how to respond if an attack occurs.

Protect Against Attacks

Bad actors will attempt to access your website wherever they identify weakness. Asset managers must employ multiple defenses so that one breach will not lead to a significant setback in reputation and assets.

Web Application Firewalls (WAFs)

WAFs are your website’s security guards who stop harmful traffic before it enters your website. Web Application Firewalls defend against threats like SQL injection, which occurs when hackers add malicious code to your database, and cross-site scripting, where the bad guys look to run harmful scripts on your site. Most firms install WAFs through cloud services like Amazon’s AWS, Microsoft’s Azure, and others.

DDoS mitigation

A DDoS (Distributed Denial of Service) is an attack that floods a website with traffic so that it crashes. The bad actors aim to disrupt client logins, transactions, and service availability.

The financial services sector is a prime target for DDoS attacks, with a reported 23 percent increase between 2023 and 2024. Consider using Akamai Kona Site Defender, and Cloudflare to enhance your protection.

Stave off the bots

Bots are computer programs that visit your website in the background. Some bad actors design bots to break into websites, steal data, or disrupt services.

Anti-bot software helps stop the bad bots by detecting and blocking them before they cause problems. Examples include DataDome and Radware Bot Management.

Segment your network

Industry regulations require network segmentation to protect critical information and reduce risk. Segmenting your network involves dividing it into smaller, secure sections, so sensitive information is stored in distinct and protected zones. If one section is attacked, the others stay safe. For example, you’ll want to keep customer data on one server and website files on another, each with unique security controls.

Keep Software Updated

Hackers often target outdated and unsupported software because it’s easier to break into. That’s why it’s essential always to have the newest versions.

Update your software

Tools like Microsoft Update, Apple App Store, or plugin stores on your website platform help you quickly install security patches and upgrades. Regularly update your content management system, plugins, logins, and security certificates. Outdated software is a risk.

Remove unused software

Most firm websites have programs and plugins that they rarely, if ever, use or know about. Uninstalling unneeded, outdated, or potentially vulnerable software will reduce security risks.

Review vendors

When selecting software providers, choose those with a proven reputation for security, regular and automatic updates, and excellent customer support. Make sure they clearly explain how they protect your data and meet industry regulations.

Train Your Employees

Creating a strong culture of security awareness, supported by leadership, is vital for boutique firms where every employee carries weight.

Cybersecurity training

Managers should require security training for all executives and support teams alike. Everyone should learn about identity verification, password management, mobile device security, suspicious transfer requests, and incident reporting procedures.

Publish security rules

Your IT department or a dedicated security team should publish security rules. In some firms, this responsibility is assigned to a senior manager or a trusted outside technology advisor. These individuals or teams work to ensure policies are clear, up-to-date, and effectively communicated to all employees.

Phishing simulations

Phishing simulations are practice exercises that imitate cybercriminal tactics. You may, for example, send your team fake emails that request sensitive information or have suspicious links. The goal is to test whether your people can identify and respond to potential phishing attempts.

Prepare for the Future

Use modern technology to protect your business and client data and stay ahead of new threats.

AI Security tools

AI security tools are intelligent programs that use artificial intelligence to constantly protect your systems. They immediately notice unusual behavior, such as fake videos and malware, and alert you before harm is done.

Zero Trust Networking

Think of Zero Trust as never trusting anyone or anything automatically, even if it sounds and looks like your grandmother. Instead, whenever someone, real or artificial, tries to access your systems, they must prove who they are to be allowed in.

Quantum-Ready Security

Quantum computing is a new technology that someday will likely be able to break today’s digital locks faster than regular computers. Quantum-Ready Security means using new, stronger codes that cannot easily be broken, even by these powerful machines. It’s like upgrading from a basic door lock to a super-secure, future-proof vault.

Website Security Definitions

Understand these website security basics:

Authentication. Verifying user identity before giving access, like verifying an ID.

CAPTCHA. A test to distinguish human users from bots.

DDoS Attack. An overload of traffic is crashing your website.

Encryption. A data scrambler that keeps your data secret from outsiders.

Firewall. A barrier that blocks unwanted or suspicious internet traffic.

Patch. A software update that fixes problems and improves security.

Phishing. Fake messages designed to steal information.

Plugin/third-party dependency. Extra software has been added to your website.

Quantum-Readiness. How to prepare against future security challenges from powerful computers.

SSL/TLS. A tool that encrypts information sent to and from your website.

SQL Injection. A hacker trick of sending fake commands to steal information.

Two-Factor Authentication (2FA): A login process using multiple identity proofs.

Web Application Firewall (WAF): A system that blocks bad traffic from reaching your website.

XSS cross-site scripting. A way of injecting harmful code into your website

Zero Trust Networking. The practice of verifying all requests for access to your site.

Website Security Measures That You Need Now

Cybercriminals target financial services websites for the same reason Willie Sutton, an infamous American bank robber from the 1920s to the 1950s, said he robbed banks: “Because that’s where the money is.”

Asset management websites are now where much of the money is. Financial service websites are prime targets for attackers looking for a big score.

So let’s return to our original question, “Is your firm and website secure from cyberattacks?” If your answer is anything short of an unequivocal “yes,” use this checklist to protect your assets, clients, and reputation:

• Control who can access your website
• Find potential attacks early
• Protect against attacks
• Keep software updates
• Train your employees
• Prepare for the future

Can’t do it all yourself? Look for a proven, experienced specialist who can help you protect your firm and clients from cyberattacks.

Schedule a complimentary strategy session with Dan Sondhelm, CEO of Sondhelm Partners, to learn more about how to build and protect your website and more from cybercriminals.

Frank Serebrin is the Content Marketing Director for Sondhelm Partners. He leads strategic and creative content and marketing services for our asset and wealth management clients.