Advisor Group’s Clayton Chandler: Post-M&A Cybersecurity Best Practices

Continued Rise in Independent FA Deals Elevates Importance of Post-Transaction Cybersecurity

James Miller, Contributing Editor, Wealth Solutions Report

What do natural gas pipelines, meat processors and the independent wealth management space have in common?

This isn’t the opening to a bad joke.  Rather, it’s a recognition of how certain events over the past six months have escalated awareness among independent wealth management firms and the financial advisor businesses they serve on the crucial importance of cybersecurity.

With significant disruptions earlier this year to both our domestic energy supply – courtesy of a massive ransomware attack against Colonial Pipelines, the natural gas company – as well as  meat supplies – thanks to a crippling cyber-attack against global meat processing firm JBS – companies across industry sectors have been accelerating their investments in cybersecurity defenses.

“Time to get ‘moo’-ving on cybersecurity defenses!”

This certainly applies to independent broker-dealers and RIAs, given the highly confidential client data that firms and advisors routinely have in their digital files.

Increasing Investment in Resources and Expertise

Advisor Group, which has made cybersecurity readiness a major part of the firm’s value proposition since the company’s launch of its CyberGuard Program for financial advisors in 2019, is once again putting its money where its mouth is when it comes to investing in cybersecurity resources.

The latest move in this arena from Advisor Group – with over 10,000 financial advisors across the country – comes in the form of its appointment of Clayton Chandler as its new Chief Information Security Officer (CISO), announced earlier this week. 

Chandler, a veteran cybersecurity leader from Credit Suisse who also has past work experience with the National Security Agency, has very clear views about the future of cybersecurity in the wealth management space.

WSR recently connected with Chandler to dive deep with him on cybersecurity best practices – And what independent FA businesses going through a merger or acquisition must do to ensure they are digitally protecting themselves and their clients.

WSR:  Congrats on your new role!  Tell us about your last job as CISO and Global Head of Cybersecurity and Americas Head of Technology Security at Credit Suisse, and the key learnings you hope to adapt from that experience for Advisor Group.

At Credit Suisse, I was accountable for securing the information and operations of the company’s investment banking, risk and compliance functions globally, as well as all business functions within the Americas. Prior to that, I was accountable for cyber threat defense globally for the CS enterprise.

New cyber threats require updated security protocols.

My experience in running a security and privacy operation within a multinational, significantly regulated financial services firm will benefit Advisor Group as the organization continues its rapid growth. 

That growth in scale will bring about new types of cyber threats and regulatory requirements, including unique challenges in ensuring that Advisor Group’s technological infrastructure and delivery processes are secured against cyber threats from the outset. 

My prior experience with large-scale financial services technology puts me in a great position to help support Advisor Group as it continues to grow in the years ahead.

WSR:  M&A between independent financial advisor businesses is expected by most industry experts to continue to rise.  What are the most important first steps from a cybersecurity perspective that an advisor who has acquired a practice should take?

While cybersecurity is often thought of as a technology function, I believe that it is first and foremost a cultural practice rooted in a set of practical, foundational principles. 

The first step an acquirer of another practice should take in understanding the cybersecurity posture of their newly expanded organization is evaluate the culture – is cybersecurity training required for employees? Are cultural drivers such as employee reporting of potential phishing emails positively reinforced, rewarded and celebrated? Are there policies, standards and processes in place for consciously understanding and managing information security risk?

Beyond this, it’s also important to ensure that the entire known asset environment of the acquired organization is thoroughly understood, in order to reduce any potential blind spots. Do you have a complete list of hardware and software assets, users, accounts, and third-party vendors? What processes are in place to ensure that these lists are continuously kept complete and accurate? 

The biggest cyber risks manifest into incidents when these unknown assets go unnoticed and unchecked.

As Advisor Group continues to establish itself as a leader in advisor M&A through offerings like its Continuity Coverage & Acquisitions Platform – which offers funding and a wide array of other value-added resources to help advisors grow through acquisitions – cybersecurity awareness throughout the M&A process will only grow in importance.

WSR:  When two different independent financial advisor businesses merge, how quickly should the merged firm move towards a shared cybersecurity training program, and what should be the cybersecurity training program’s key elements?

It is absolutely important that employees understand the policies that govern information security and privacy and what expectations the organization has of employees in meeting those policies’ requirements. 

“See something? Say something!”

However, this messaging lands best when it’s delivered as part of a corporate culture that has security embedded in its DNA and positively supports notions like “if you see something, say something”. I’m a big believer in positive reinforcement, and I think it’s one of the most important elements of cybersecurity.

I recommend messaging that sounds less like hardline compliance obligations, and more like a duty and mission of the organization that every employee has equity in executing. Make sure that employees have a means of reporting strange or abnormal experiences, support it and reward it! 

I would recommend that newly-merged independent FA businesses move toward such a culture as soon as possible. 

WSR:  What are your top strategic goals that you want to achieve as the new CISO of Advisor Group over the next 12 months?

My biggest goals are twofold. First, ensuring that Advisor Group has consistent, scalable policies and procedures for information security, privacy and data protection that best protect the firm from threats while allowing the organization the agility to continue to scale and grow.

Clayton Chandler, CISO, Advisor Group

The second is continuing Advisor Group’s evolution from reactive cybersecurity controls to proactive, threat-informed cyber defense. 

We will lay a foundation for not just detecting security vulnerabilities or cyber threats based on known signatures, but also putting the processes and technology in place to proactively seek them out and eradicate them before they impact the organization. 

That’s a cultural evolution as much as it is a technological one!
James Miller, Contributing Editor & Research Analyst, can be reached at

Related Posts

Sign Up for Our Newsletters

Sign Up for Our Newsletters