Are you confident that clients’ data are walled off behind sufficient cyber protections?
If most advisors answered honestly, they would say no, says Brian Edelman, founder of cybersecurity consulting firm Financial Computer Services in Bloomfield, New Jersey.
“What we’ve noticed is, nobody does this,” he says, based on his encounters with firms that have been operating without adequate cyber defenses for years.
Advisors have become accustomed to outsourcing general technology support and compliance functions.
But firms rarely elevate cybersecurity to the same level of importance, in terms of both budgeting and strategic planning, Edelman says.
His clients, which range from single-advisor registered investment advisors to custodians and broker-dealers, retain Financial Computer Services to keep an array of cyber protections functioning and up-to-date.
If the fear of hackers themselves isn’t enough to persuade advisors to shore up their cyber moats, they should realize that they can be held liable if they aren’t in compliance with their own state’s so-called safeguards provisions, Edelman says.
He offers the following list of six basic protections that most advisors need in place to comply with each state’s rules:
1. Whole-disc encryption. If advisors lose a laptop or desktop computer through accident or theft, this feature lets them remotely lock hard discs on those machines to render the data on them irretrievable. Although it is a feature of many computer systems, Edelman encourages getting professional help. “Not that you can’t do it yourself, but it’s just not as easy as pushing a button,” he says. Information technology security companies, such as Sophos and Symantec, sell disc encryption products. Edelman’s firm uses one by Sophos called SafeGuard. But it also manages the operation of whatever product an advisor’s broker-dealer or parent company uses.
2. Secure messaging. Email encryption protects privacy both while a message is in transit and after it has been received. “Most of the time, we find that the BD or the financial institution who the BD is related to is offering it, but the advisor isn’t using it,” Edelman says. “The key is not to replace anything that’s there, but to have a full toolset.” Secure messaging is a candidate for the single most important cyber protection, in Edelman’s view.
3. Cyber monitor. This software tool watches over a computer or network and notifies users if there has been a breach. “There are a lot of commercial products that vendors might use,” Edelman says. However, “when you get to this level of cybersecurity, the names are not as familiar,” he says. “These are typically things not purchased by a consumer. They are usually purchased through a vendor.”
4. Managed antivirus program. Computer viruses often go unnoticed. This software defends against them. Companies can take on viruses not just through email but by misspelling a domain name and landing at the wrong website, Edelman says.
5. Corporate firewall. Many firms are only using standard firewalls that are provided by their cable providers, Edelman says. “That’s not going to cut it,” he says, when it comes to staying in compliance with regulatory safeguard provisions.
6. Multi-factor identification. By now, most people are familiar with this security tool: When you log into your email or other password-protected account, you also have to enter a code retrieved from your mobile phone to complete the process. “This is the new player in this place [though] it’s been around for awhile,” Edelman says. New York State’s influential regulator, the Department of Financial Services, cites the high importance of this safeguard, he says.
These tools, which are evolving as rapidly as are hackers’ strategies, are meant to operate together, Edelman says.
“With the absence of any of them, you are putting data at risk,” he says.
On March 1, the state of New York upgraded its own security rules. As a result, Edelman expects other states to follow suit and tighten their own, upping the ante over this issue for advisors.
Advisors tend to be most keenly aware of the value of strong cyber protections when they face a real security threat.
For example, if you lose a laptop and can prove to regulators that it was covered by whole-disc encryption, “there’s no breach event,” or loss of control over client data for any period of time, Edelman says.
If an advisor can’t prove that the data was protected, he or she must report the breach event to regulators and potentially suffer damaging consequences, he says.
“It’s just that black and white,” Edelman says.
This story is part of a 30-30 series on how technology is changing your practice. It was originally published on Sept. 28.