Rob DeDominicis: After M&S – lessons in cybersecurity

The recent cyberattack on Marks & Spencer has highlighted just how quickly a digital breach can spiral into a full-blown business crisis. Operations have been disrupted, customer data compromised, and consumer confidence severely impacted. The firm’s market cap fell by more than £1bn in the first weeks of the crisis, while some estimates suggest the total cost of the attack could reach £200m.

Around the same time, two other large UK retailers – Co-op and Harrods – also hit the headlines as a result of cyberattacks affecting their operations. These are not isolated incidents either – according to the government’s Cyber Security Breaches Survey 2024, a fifth (22%) of UK businesses have experienced cybercrime in the last year. This spate of high-profile attacks has sent a wake-up call far beyond retail.

Data security is central to earning and maintaining customer trust as the world becomes more digital. In the past, a data breach might have caused short-term reputational damage; however, today’s highly connected landscape means consequences can be far more far-reaching. For wealth management firms, such incidents underline how quickly a cybersecurity breach can erode trust, impact valuations and trigger significant regulatory scrutiny.

Creating a culture of security

Strong security starts with solid foundations, which means limiting unnecessary exposure to client data to reduce the risk of leaks or theft. Sensitive data – particularly financial data – should be stored in secure locations with strictly controlled access and clear rules on how long it is retained. This helps reduce potential entry points for hackers while supporting regulatory compliance.

It is also important to recognise that technology alone is not enough – your people and processes determine resilience too. Establishing a genuine culture of cybersecurity requires clear actions, such as conducting routine phishing simulations, performing regular vulnerability audits, engaging in detailed scenario-planning exercises, and implementing strict governance of third-party vendors. How you handle a breach counts. Delaying action could widen or prolong disruption and increase recovery costs.

The role of third-party vendors cannot be overlooked. The growing importance of external suppliers to financial services firms is increasingly reflected in legislation. The Operational Resilience Regulations require firms to map their dependencies, including outsourced services. At the same time, a new framework for ‘critical third parties’ will oversee providers, such as technology suppliers, that deliver vital services to financial firms.

Similarly, the Digital Operational Resilience Act (DORA) in Europe and Prudential Standard CPS 230 Operational Risk Management in Australia make clear that firms are accountable for their own security and the resilience of their supply chains.

This means demanding high standards from technology partners, including transparent controls, clear accountability and evidence of compliance. International security standards, such as ISO 27001 and SOC 2, provide valuable benchmarks for evaluating service provider accountability, with accreditation demonstrating effective control over sensitive data.

Adapting to new threats

The rise of remote working has introduced new risks, increasing the chance of unauthorised access and data theft. At the same time, cyberattacks are becoming increasingly sophisticated, utilising intelligent targeting, AI, and multi-stage strategies that combine various tactics to infiltrate systems. These attacks can be more challenging to detect and stop, thereby amplifying the threat and increasing the likelihood of damage.

Yet defences are evolving too. Cloud and ‘software as a service’ infrastructures let people access systems from anywhere, boosting flexibility but, at the same time, impacting traditional network security. Two trends reshaping data security in wealth management in this regard are ‘zero trust’ principles and AI-powered security tools.

‘Zero trust’ means treating every user and system as untrusted until verified, helping to minimise insider threats and unauthorised access. Some worry that this may affect the user experience, especially for vulnerable or less tech-savvy users; however, strong security builds client confidence and allows internal teams to focus on adding value rather than damage control.

For their part, AI-driven tools are helping firms spot threats faster by detecting unusual behaviour or data appearing where it should not be. They offer an early warning of potential threats and can significantly reduce the risk of breaches when combined with a strong security culture.

Today, cybersecurity goes beyond firewalls and password policies. Clients expect their wealth manager to protect sensitive information as securely as their money. This means learning from the retail sector’s recent challenges, choosing resilient partners and fostering a culture of proactive security. By taking these steps, you can better defend your firm against threats while building trust and differentiation in an increasingly digital world.

This article originally appeared in Wealthwise on 11 June 2025.

Posted in: Wealth Management Administration