Should You Split Your Retirement Accounts to Reduce Cyber Risk?
AI and cyber threats to brokerages are growing. Will keeping your retirement funds in two or more institutions lessen your risk of getting wiped out? We talked to financial experts to find out.
It’s one of the oldest investing principles, the “always look both ways before crossing the street” of finance advice. Diversify.
Most people think about two kinds of diversification: investment diversification (don’t put all your money in one stock or sector) and tax diversification (spreading your investments across accounts with different tax treatments). The goal is to reduce the risk of investment losses and unnecessary taxes.
But there’s a third kind of risk that’s increasingly on investors’ minds, and it has nothing to do with markets. Many have already experienced it firsthand.
From just $107.88 $24.99 for Kiplinger Personal Finance
Become a smarter, better informed investor. Subscribe from just $107.88 $24.99, plus get up to 4 Special Issues
Sign up for Kiplinger’s Free Newsletters
Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more - straight to your e-mail.
Profit and prosper with the best of expert advice - straight to your e-mail.
Fidelity, for example, suffered a cyberattack in 2024 that exposed sensitive data belonging to roughly 77,000 customers. Like a cyber buffet line, hackers potentially obtained account numbers, routing numbers, Social Security numbers and driver's license information.
That raises a fair question: Is it risky to keep all your savings at a single financial institution?
Recent reports suggest the cyber threat to financial firms is growing, which can make "institutional diversification" — holding accounts across multiple custodians — sound like a smart new layer of protection. We asked four financial experts about this strategy.
The rising cyber risk to financial institutions — and you
Hackers don’t just go after the vulnerable. They are more than willing to go after the big fish. In fact, cyberattacks on financial firms have more than doubled since the pandemic, according to a 2024 International Monetary Fund report, and extreme losses from those incidents have more than quadrupled since 2017, to $2.5 billion.
Financial institutions face increasing cyber attacks and losses
AI may make the threat even harder to contain. In April, Anthropic said Claude Mythos, its artificial intelligence model that can autonomously find and exploit complex software vulnerabilities, was so powerful that it was too dangerous to release widely at the time.
So what happens if the next target is where you keep your money?
Most people know FDIC insurance covers up to $250,000 per depositor, per bank, if a bank fails. But brokerage accounts have a different kind of protection. If you become a victim through your brokerage, you may not be entirely on your own.
“The SIPC covers up to $500,000 per account, and most custodians carry excess coverage well beyond that,” notes Jeffrey Judge, CFP® and managing partner of Chesapeake Financial Planners. SIPC covers up to $500,000 per account type (individual, joint or trust; each has its own $500k limit), and it ensures that securities are returned to the consumer and that they’re made whole.
The bigger question may not be whether you’ll lose your money. It may be whether you can access it when you need it and how messy the aftermath becomes.
"Custodian outages, platform migrations, firm acquisitions – these events can freeze account access for weeks," says Matt Chancey, CFP®. "If your entire liquidity pool sits at one institution, you have no fallback. For retirees drawing income monthly, that's not a theoretical problem."
"If a retiree spreads assets across several firms, they may never reach those lower-fee breakpoints, ... causing the overall fees paid to be higher." — W. Michael Lofley
Why spreading your retirement across multiple custodians may not be the answer
Given that cyber losses have increased and major institutions have already been breached, spreading assets across multiple custodians might sound like the obvious move. But most advisers say it usually isn’t necessary.
"I have never recommended a client use multiple custodians solely because of cyber risk," says Justin Rice, CFP® and financial advisor at Personal Wealth Strategies. "In fact, for most people, I generally recommend the opposite. Simplicity matters."
Rice notes that many households already have natural institutional diversification — a 401(k) at one provider, an IRA elsewhere, a bank account at a third place — and adding more on purpose usually doesn't pencil out. "For most retirees with net worths under approximately $10 million, one primary custodian is typically more than sufficient. The major custodians have extensive cybersecurity infrastructure, fraud monitoring, insurance protections and operational safeguards in place."
The complexity costs are real, too. W. Michael Lofley, CFP® and financial adviser at HBKS Wealth Advisors, points out a financial cost that rarely gets discussed: "If a retiree spreads assets across several firms, they may never reach those lower-fee breakpoints at any one institution, causing the overall fees paid to be higher."
Coordination is another quiet penalty, he adds. It’s hard to set the right portfolio risk without seeing what's being taken elsewhere, and the same problem hits estate planning and tax coordination.
Then there’s estate administration. "Beneficiary designations that haven’t been updated consistently across four or five institutions is how families lose seven figures after the second parent dies," Chancey warns. "The wrong person inherits the wrong account because nobody coordinated the paperwork."
Judge has seen it play out firsthand. "I had a client last year who wanted to do exactly that, and when we mapped out the beneficiary paperwork, the RMD tracking and the extra 1099s, she decided the complexity wasn’t worth it."
If you do split, here’s how to do it
For most retirees, two to three institutions might be the practical ceiling.
"Two to three is the Goldilocks number for most retirees," Chancey says. "Beyond that, the complexity costs start outweighing the resilience benefits fast." The split should be functional rather than arbitrary, he says.
That means brokerage and investment accounts at one or two custodians. Banking and cash management at another.
"Keep tax buckets coherent within institutions," he adds. "Don’t scatter Roth assets and traditional IRA assets across five places, or RMD tracking becomes a coordination problem that costs you money every year."
The cyber moves that actually matter
Experts often agree that the user is usually the weakest link, not the institution.
"The bigger risk is not usually at the custodian level. It is at the client level," Rice says. "I would rather see investors spend their energy strengthening their own cyber practices instead of opening multiple custodial relationships solely out of fear of cyberattacks."
One basic safeguard is turning on alerts. "Every major custodian allows text or email notifications for withdrawals above a threshold you set," Chancey says. "Most retirees have never turned them on. A wire transfer out of your account triggers an alert within minutes. That single practice catches the most common form of financial elder fraud before real damage is done."
For identity fraud, it’s worth considering a freeze on your credit at all three bureaus. "The freeze is reversible and stops most identity-based fraud before it starts," Judge says. "That’s where the real exposure is, not which custodian holds the assets."
You may also want to consider locking your Social Security number.
Sure, password advice can sound like a broken record that’s easy to tune out, but unique passwords still matter, along with multifactor authentication. After all, the most common password in the world is 123456, according to NordPass. A password manager can create and store different credentials for every account, so a breach at one site doesn’t unlock the rest.
And if, like so many of us, you’re suffering from password fatigue, it might be worth remembering another old principle: better safe than sorry.
Read More
- What Is FDIC Insurance? Plus Other Agencies That Protect Your Money
- Retirement in the Age of Cyber Scams: How to Protect Your Next Chapter
- My Beloved Husband Has Early-Stage Dementia. He Is 'Doing Well,' but How Do I Protect Our $1.6 Million Savings Right Now?
- Your Online Security: 10 Things You Should Know
