Advisors: What's your data breach response plan?
WASHINGTON -- With the tally of high-profile data breaches seemingly growing by the day, some RIA compliance experts suggest that advisors should think in terms of how they will respond not if their practice gets hacked, but when.
Cyber attacks and data breaches come in many forms, ranging from sophisticated attacks perpetrated by highly skilled hackers to lost laptops that contain sensitive company information.
Small firms may not be as alluring a target as, say, J.P. Morgan or Fidelity, but experts warn that hackers might go after RIAs in search of a backdoor into the larger financial houses that serve as custodians, if not for the client information that advisors hold in their own systems. And the consequences of a breach can be dire.
"I think the lower you get in firm size, the challenge is the greater the impact is going to be on your firm's reputation, and the lower the resources are to deal with it," says Duane Thompson, senior policy analyst at fi360, a fiduciary training company.
Officials at the SEC have been warning that RIAs, even small shops, won't get a pass on cybersecurity.
"Just because you're small doesn't mean that you can just ignore this," says Michael Weissmann, a partner at the law firm Bingham McCutchen.
MAKE A PLAN
When considering how to respond to a cyber attack, firms should start by taking the advice they routinely provide their clients: make a plan.
"The SEC wants to know that the RIA firm's continuity plan not only addresses natural disasters and other common business disruptions, but also cybersecurity threats," the compliance consulting firm RIA in a Box says.
That plan needs to include concrete steps that a firm will take in the event of an attack, including an assessment of the extent of the breach, as well as procedures for notifying the appropriate law-enforcement authorities, third parties and clients.
"The first thing I would do if I find out I've been hacked is I would immediately alert all my clients and point out the problem and then I would hire an IT person, if you don't have someone on staff, to try to get down to the bottom of it," Thompson says, though he cautions that advisors should consider crafting their notification policy in consultation with an attorney.
"They need to be up speed on what's going on, and I think this is an area where advisors are going to have get some outside help," he says.
Additionally, he notes that practices should be measured in their communications with clients, taking care to ensure that they are setting reasonable expectations for how they will respond to a cyber intrusion.
"You need to have an intent of following up on what you promise," Thompson says. "You don't want to certainly over-promise or over-extend what you say you're going to do."
Many experts also believe that cyber insurance is an integral part of the response to a data breach, though they caution that advisors must read the fine print to understand the limitations of their coverage.
"It is important for investment advisors to understand how their firm is protected from an insurance standpoint should an unfortunate cybersecurity event occur," RIA in a Box says. "Unfortunately, a number of insurance policies may have insufficient liability limits and too many carve-outs that do not provide sufficient investment advisor information security liability protection."
Kenneth Corbin is a Financial Planning contributing writer in Washington.