Scottrade's data breach underscores the importance for wealth managers to make sure that they are strengthening their cyber defenses, experts say, particularly as it has become a key area of focus for regulators.
"Anyone within SEC purview is under increasing pressure to up their game when it comes to cyber awareness and protection, including wealth managers, whether online or offline," said Craig A. Newman, chairman of the privacy and data security practice at New York law firm Patterson Belknap Webb & Tyler.
Suggestions that this incident could hurt the appeal of digital advice platforms are misinformed, says Joel Bruckenstein, a Financial Planning columnist and co-creator of the Technology Tools for Today conference series and technology guides for advisors.
"Where's your money? Schwab? Fidelity? All have online access. What I've been telling advisors is your stuff is in the cloud already, get over it. Vanguard is a digital provider, Fidelity is a digital provider, Citibank is a digital provider -- tell me who's not a digital provider?"
Scottrade spokeswoman Whitney Ellis said federal authorities informed the online brokerage that hackers accessed its network sometime between late 2013 and early 2014, and targeted client names and street addresses from a database of 4.6 million clients.
"Although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, it appears that contact information was the focus of the incident," Ellis said.
"We have no reason to believe that Scottrade’s trading platforms or any client funds were compromised. Client passwords remained fully encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident."
Newman says that how Scottrade handles the incident now will determine the extent of the reputational damage to its brand and customer retention.
"When people invest their capital, they're looking for trustworthy stalwarts of their capital, and cyber security protection is one of the things that should be on that checklist," he says. "There are plenty of examples where hackers have gotten into different asset managers, and within minutes drained tens of millions before they were detected. I would not want to be one of those asset managers."
Newman says it would be "naïve" to assume Scottrade or any digital investment platform was more vulnerable to cyber-attacks because they exist online. "Traditional wealth advisors have been hacked, it's just that many are just not under regulatory or legal obligation to make public disclosure."
Newman noted that just two weeks ago, the SEC put brokers and advisors on notice that cybersecurity remains a top priority, and the subject of an ongoing series of targeted exams.
The commission is planning to launch a second wave of exams looking at how firms are protecting their IT systems and safeguarding clients' sensitive information, the SEC's Office of Compliance Inspections and Examinations said in a recent risk alert.
Through the next phase of exams, the SEC intends to evaluate how firms are handling issues such as governance and risk assessment, access privileges and data protection, as well as how they are training their employees and what plans they have in place to respond in the event that they are the target of a hack. Among other areas of concern, OCIE indicates that examiners will look to see whether firms are periodically reassessing their security policies, whether company leaders or directors are involved in cybersecurity, and how firms are monitoring the flow of information beyond the firewall. These exams will build on the insights gleaned from the initial review, through which examiners visited more than 100 advisor and broker-dealer practices.
"The office is conducting a second round of cybersecurity examinations to make sure firms are properly implementing the formalized procedures and controls they should already have in place," says Justin Kapahi, technical director of the financial services practice at External IT, a cloud computing service provider.
In its risk alert, OCIE notes that some firms continue to struggle with "weaknesses in basic controls," and offers in its appendix a series of specific factors that examiners are likely to look at when they conduct a cybersecurity review, including policies on customer information and patch management, access controls, and the role of chief information security officer or an equivalent position.
The risk alert signals the continuing review of a longstanding area of concern, but the level of specificity that the SEC is applying to the issue can be read as its strongest statement yet that security is a major priority, and that no firm is small enough to get a pass.
"Cybersecurity has been a highly visible issue across the country for several years and has been a priority for the SEC for quite a long time -- this release is significant because it increases the heat," says Andrew Wels, chief compliance officer at MarketCounsel, an advisor consultancy.
"The alert takes what had been a high level regulatory concern -- the purview of the White House and big corporations -- and makes it a broader issue to any regulated entity by telling them they should be already protecting their data from cybersecurity breaches and this is now on the OCIE checklist" Wels says. "The things they are asking for in the alert are doable -- they are not asking for metaphysical safeguards to keep hackers out, but reasonable measures need to be taken. All regulated entities now need to do an assessment and make sure there are safeguards for data systems."
- Cybersecurity: Why Your Firewalls Aren’t Enough
- Hackers to Bankers: Pay Up or We Attack Your Website
- Ex-Morgan Stanley Adviser Pleads Guilty to Taking Bank Data