Cybercrime has already impacted millions on a personal and professional level. If you haven’t been hit yet, it may only be a matter of time.
But data security is not most advisory firms’ forte. With the spread of complex software, multiterminal networks, servers, firewalls and, of course, the cloud, it has become increasingly difficult for someone not trained in systems architecture and programming to make sense of what is needed.
At my firm, Savant Capital Management, we’ve pursued data security in a number of ways over the years. In the 1980s and 1990s, locked file cabinets and passwords on our local machines were deemed sufficient.
In 2001, we went paperless and realized we needed help, so we hired a local IT firm to work with us. It was a great partner for years, introducing us to firewalls and sophisticated virus detection and protection.
Now, advisors who do not operate in the cloud may still find a IT professional to provide cybersecurity. Just looking at your IT configuration, however, is not sufficient to address all possible threats.
IT'S DIFFERENT NOW
Over time, the landscape of potential threats evolves. Advances in technology, and changes in how firms and customers make use of it, create new vulnerabilities.
The implications of a security breach are very serious. A FINRA paper released earlier this year, “Report on Cybersecurity Practices,” identified the top three threats facing brokerage firms: hackers penetrating systems; insiders compromising firm or client data; and operational risks.
Most firms believe that the most likely threat will come from the outside. I saw this firsthand when Bank of America notified me of a security issue with my credit card because of an attack on a national merchant, and when the IRS notified one of our clients that a tax return was being rejected because someone else had already filed a fraudulent return in the client’s name.
The next-biggest perceived threat is the result of disgruntled employees like Eric Snowden making sensitive data public. Firms also fear unwitting activity by an employee might allow a malicious virus to invade their system.
What should advisors be doing to protect themselves against these inevitable challenges? If you’re not sure where to start, try the National Cybersecurity Alliance, which focuses on nontechnical education and awareness for an overview and summary of the most on important considerations.
For in-depth information, refer to the National Institute of Standards and Technology report “Framework for Improving Critical Infrastructure Cybersecurity Version 1.0.” It provides a thorough overview and detailed technical reference for every aspect of a comprehensive cybersecurity program.
You might be wondering: Can’t I just use some all-inclusive checklist to see if our systems are OK? The short answer is no.
A high-end study group, the Zero Alpha Group, comprising nine large advisories including Savant, recently reviewed proposals from a number of cybersecurity firms. It found that analyses of individual advisories are necessary, because their system architecture and level of sophistication varies significantly. The NIST report supports the idea that evaluations should be tailored to your firm.
As cybercrime became a stark reality, Savant’s senior management realized the core of our business — managing information and data — was being threatened in ways we couldn’t understand or defend against, given our limited technical expertise.
That led us to hire a chief information officer with expertise in this area. His background includes extensive experience in IT strategy, system implementation, project management and business leadership, and part of his initial work has been to review our entire technology infrastructure and data management practices.
Here’s what we’re pursuing in the way of best practices:
- Our board and senior management have been engaged and support our cybersecurity programs. These include a comprehensive set of policies, procedures and processes to manage and monitor our regulatory, legal, technical and operational requirements with regard to cybersecurity risk. Every report I’ve reviewed states that strong governance and support by senior management are necessary for a cybersecurity program to succeed.
- We develop and implement internal change controls. Here are some you might consider: limiting access privileges; complex password controls with required change intervals; upgrades to anti-malware and anti-virus software; email, spam and Web browsing content filters; intrusion detection monitoring and response software; internal training and awareness; enhanced encryption methods; software patches and upgrades; and limiting vendor access.
- We are using a number of outside firms with demonstrated expertise in several areas, including operational review and compliance, data security, and threat detection and response. The SEC and FINRA now conduct audits that consider data security. In the event of a breach, firms without appropriate policies and procedures in place may risk regulatory fines, lawsuits and could potentially forfeit their entire business. You might have E&O insurance, but have you discussed cybercrime insurance with your agent?
- We review current best cybersecurity practices published by organizations focused on this area. For example, some of the most common and significant cybersecurity threats are summarized in the SANS Institute report: “Critical Security Controls for Effective Cyber Defense.” The report discusses the “why” and “how” of implementation, and states: “The controls … prioritize and focus on a smaller number of actionable controls with high payoff, aiming for a ‘must do first’ philosophy. Since the controls were derived from the most common attack patterns and were vetted across a very broad community of government and industry, with very strong consensus on the resulting set of controls, they serve as the basis for immediate high-value action.”
- We review and update policies, procedures and responsibilities for responding to the cybersecurity incidents that we are most likely to encounter. Generally, firms may see a loss of data, corruption of data, denial of service attacks, network intrusions and malware infections. Responses include isolation, eradication and recovery plans, as well as obligatory regulatory reporting to clients and regulators. For a current take on where the regulators stand, see a recent IMCA newsletter on the cybersecurity bills pending in Congress.
It appears that upcoming laws and regulations will soon mandate much of what we’re discussing here, and you want to be on the front end of cybersecurity preparedness.
Glenn G. Kautt, CFP, EA, AIFA, is a Financial Planning columnist and vice chairman of Savant Capital Management, based in Rockford, Ill.