Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
I have spent the better part of my career watching how organizations manage access to sensitive data — who has it, who should have it, and how long it takes anyone to notice when those two things stop matching. In financial services, that gap tends to be measured in months.
Picture this: A client calls, upset, asking about a transaction they did not make. The advisor pulls up the account and flags the unauthorized activity, yet they have no immediate explanation for how it happened. The breach came through a third-party platform the advisor accesses daily but has no control over. By the time the call comes in, the unauthorized access has been active long enough that determining its scope will require outside help.
That’s a fairly typical telling of how independent advisors discover a credential compromise. It comes from outside, after the fact, and the firm is usually the last to know.
When Access Outlasts Employment
It is worth being precise about the diagnosis here. It matters for the remedy.
A typical small RIA runs on a custodian portal, a CRM, a portfolio management tool, a document management system, and a client-facing portal. Each system will have its own credentials, with some tied to individual users and some shared across the team.
That becomes an issue when someone leaves and there is no process for revoking access across every platform, no record of which shared credentials they held, and no prompt to rotate the passwords they walked out the door with.
FinWise Bank learned this the hard way. A former employee accessed roughly 689,000 customer records — names, dates of birth, Social Security numbers, account numbers — on May 31, 2024. Yet the bank did not discover the breach until June 18, 2025, more than thirteen months later. In that entire span, no system flagged that a person who no longer worked there had logged in.
Thirteen months is an outlier, but not by much. According to IBM's report, Cost of a data breach 2024: Financial industry, credential-based attacks — the most common initial access vector in financial services — carry an average detection-to-containment lifecycle of 292 days. That’s nearly ten months. For a practice without a dedicated security function, there is no mechanism to beat that average.
When the Breach Isn't in Your Systems
The LPL Financial incident from late 2025 is instructive for a different reason. LPL detected the breach within ten days. The attack had entered through individual advisor devices via phishing-delivered malware, before moving into LPL's web-based advisor portal, where unauthorized parties executed transactions and financial transfers across 1,581 client accounts.
LPL caught it quickly because the company has a security operations function. That detection layer existed at the firm level, even though the entry point was at the individual advisor level.
Many independent advisors do not have that backstop. When an advisor device is compromised the same way, there is no equivalent monitoring for anomalous portal activity. The breach advances until a client notices something wrong, or a third-party vendor sends a notification letter that arrives days or weeks after their own investigation was already underway.
Gaining Visibility Into Your Credentials
Having a security operations center or not, all RIAs need a single place where every credential that touches client data is logged, owned, and visible.
That means a centralized credential management system that tracks who has access to what across every platform the practice uses. It means an audit trail. If a client calls about an unauthorized transaction six months from now, you need to be able to show exactly who had access to which systems and when.
It also means breach monitoring that covers the full credential footprint, including every third-party platform that holds or can access client data. A monitoring layer that watches for unusual login patterns, off-hours access, or credentials appearing in known breach databases gives you a vital detection capability.
Start with a full-access audit. Go platform by platform and document every active login and whether you would know within 24 hours if someone accessed it without authorization. In most practices I have seen, this surfaces at least one active credential belonging to someone who left months ago.
The cleanest fix is individual logins per platform, which removes attribution ambiguity entirely. Where that creates too much internal friction, the minimum is a documented record of every shared credential and an ironclad rule that any password a departing employee touched gets rotated on their last day.
Credential hygiene does not come with a guarantee. But it will leave you in a better position to detect unusual access earlier, contain it, and give a coherent account of what happened when the questions start arriving.
The Fiduciary Case for Access Management
The fiduciary standard governing advisory practice covers investment recommendations, fee transparency, and conflict disclosure. The systems holding client financial data fall under the same duty of care.
The advisors whose devices LPL identified in the November 2025 breach were not careless professionals. They were operating without the monitoring infrastructure a large firm provides, which left their clients exposed in ways that were, to a real degree, preventable.
Before the next client call you cannot explain, answer one question: Who has active credentials to your client-facing systems right now? If the answer requires checking with someone else or pulling up a spreadsheet that has not been touched in a year, that is where the work starts.
Chris Skipworth is CEO of Passpack, a credential management platform serving small and midsized businesses across professional services, including financial advisory firms. He has spent his career working with organizations on access management and the security gaps that emerge when credential oversight is informal or absent.
A message from Advisor Perspectives and VettaFi: Discover something new! Click here to register for our upcoming webcasts.
More ETF Topics >