Smaller financial firms like private equity shops, hedge funds and M&A boutiques may be able to avoid a cybersecurity headache plaguing their larger counterparts in the financial services sector.

A new data security study discovered that websites run by some of the largest US banks scored poorest in an undercover analysis of IT security across sectors. Of particular note: 65 percent of banks are extremely vulnerable to a cyberattack, while one in four have already suffered at least one data loss incident or breach since 2016.

Banks still feel uneasy about regularly moving large sums of cash over a network of remote servers, preferring instead to maintain on-site systems under their direct control. Yet for all their time and investment, banks’ legacy systems have become fragmented and creaking with age. Experts are calling the situation an IT disaster waiting to happen.

If big banks with rich balance sheets can’t get IT right, that should concern smaller financial institutions like private equity, hedge funds and M&A boutiques. Many of these professionals hail from large investment banks and so tend to adopt the IT practices made familiar at their old employer. What they’ll discover is that maintaining an on-site IT system is fraught with risks for a few key reasons.

Chief amongst them is the data security hole revealed by the study. JP Morgan and Citi may be experts at wealth management and corporate finance, but they’ll never match the data security prowess of Microsoft or Salesforce, companies whose reputations are built on safeguarding client data.

Secondly is the need to keep systems current. Banks have been reluctant to update their dusty legacy systems because of the costs and business disruption involved. But kicking the can down the road is only compounding the problem as they keep applying more layers of software and applications on the same creaking infrastructure.

A third risk missed by banks relates to the operational and human element of IT maintenance. Bankers have little time or desire for overseeing bulging IT departments. This widens the gap between what bankers need versus what IT professionals deliver, to the point that, often, there is complete mistrust between IT and business. Using an outside specialist would mean the managing partner makes one phone call to see that a problem is resolved.

The good news is that an increasing percentage of investment firms and boutique banks are waking up to the benefits of the cloud, as Navatar’s growing customer base would attest. As the new study shows, the trend means avoiding an IT problem that their institutional grandparents are currently struggling to find a solution for.