Clients’ financial information is a valuable commodity that is vulnerable to cyber thieves, and the sheer number of threats makes it possible that an advisory firm could come under attack.
After all, one company alone — Yahoo —discovered late last year that more than 1 billion user accounts were compromised in 2013. The U.S. Census Bureau currently puts the nation’s population at about 325 million.
“Advisers possess a repository of client names, account numbers and other data that make them high-value targets for hackers,” says Sanjiv Bawa, founder and CEO of Chi Networks, a Chicago-based IT company. “In many cases, financial advisers have documents stored on their computers that have this information.”
Eric Kies, the chief compliance officer at The Planning Center, in Moline, Illinois, says he has been surprised to learn “how sophisticated and/or persistent the cyber criminals can be, and how sophisticated the cybercrime black market has become.”
Quote“I can tell from our firm’s website, my blog and my email, that there has been a huge increase in brute force attacks."
Rich Feight, CFP, founder of IAM Financial in Grand Rapids, Michigan, echoes this alarm. “I can tell from our firm’s website, my blog and my email, that there has been a huge increase in brute force attacks,” he says. “Reports from our website provider indicate 30 or 40 a month, often of foreign origin,” from cyber thieves seeking clients’ personal information.
As an example, Bawa recalls a news account of a hacker who broke into a client’s computer and obtained all the data needed to impersonate the client. “In a deceptive email,” Bawa says, “the hacker tricked the client’s financial adviser into wiring $58,000 to the hacker.”
Such incidents can damage an advisory firm’s reputation, as well as its relationships with clients, and possibly lead to expensive litigation. Moreover, the financial damage may be considerable. “The authoritative IBM/Ponemon study found that the financial sector ranks third in the per capita data breach cost,” says Bawa, behind health care and education.
Cybersecurity risks are increased by the peril of running afoul of federal and state regulators. Bawa points to remarks made in 2016 by then-SEC chairwoman Mary Jo White, who told Reuters that cybersecurity is “the biggest risk facing the financial system.”
White revealed that SEC examiners were doing sweeps of broker-dealers and investment advisers to assess their defenses against a cyberattack, a practice her successor could continue. Thus, planners can expect regulatory visits to eyeball their cybersecurity policies and procedures.
Indeed, the SEC website prominently puts its spotlight on cybersecurity. Among the listed regulations is Regulation S-P, which requires registered broker-dealers, investment companies and investment advisers to "adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information."
Failures to safeguard client data can be costly. “In one case,” says Bawa, “an investment advisory firm agreed to settle charges by the SEC that it failed to establish required cybersecurity policies in advance of a security breach that compromised customer data.”
The firm was fined $75,000 by the SEC, which said the firm violated the “safeguards rule” by failing to adopt any written policies and procedures to ensure the security and confidentiality of personally identifiable information of about 100,000 individuals, including thousands of clients.
Among other rules and regulations to protect client information, Bawa points to the principles and effective practices mentioned in FINRA’s 2015 Report on Cybersecurity Practices. For example, the report states that “a sound governance framework with strong leadership is essential. Numerous firms made the point that board- and senior-level engagement on cybersecurity issues is critical to the success of firms’ cybersecurity programs.”
According to Bawa, the principles in this FINRA report are not legally binding but are intended to create a “culture of compliance” grounded in “explicit and implicit norms, practices and expected behaviors that influence how firm executives, supervisors and employees make and implement decisions in the course of conducting a firm’s business.”
Advisers may have the capability of handling cybersecurity in-house, or they may need to go outside for the necessary expertise.
“At its founding,” says Kies, “our firm hired an IT consulting firm to help manage our technology and servers. That firm, along with news in industry publications, helps us stay up to date with our technology, business continuity and cybersecurity plans.”
Other advisers report recent efforts to bolster their barriers. “After evaluating several options that other advisers have found successful, we have chosen a cybersecurity solution that meets several of our needs,” says Melissa Sotudeh, a wealth adviser and chief compliance officer at Halpern Financial in Rockville, Maryland. “Those needs include security, compliance recording and ease of use for our team. Most financial advisers face similar cybersecurity challenges, so asking others in our network was a good starting point. From there, our due diligence process helped us to select a vendor.”
For any outside vendor, Halpern Financial requires documentation of the security processes, including testing and certification or attestation. “We also have a checklist to ensure that any vendor we use has physical and cybersecurity protections up to our standards,” she says, “which include a formal risk-assessment program, third-party audits, documented information security procedures, encrypted file transmission and storage. We even ensure that the organization does background checks on its employees.”
Sotudeh’s firm ended up with a vendor she describes as “an all-in-one cloud workspace providing compliance-required document storage capability as well as cybersecurity protections and IT support.”
Elyse Foster, founding principal of Harbor Financial Group in Boulder, Colorado, reports that her firm did not hire a specific cybersecurity expert after a previous consultant retired. “However,” she adds, “when hiring our current IT consultant, experience and awareness of cybersecurity was one of the main focuses when making our decision. It was imperative to hire a consultant who has experience in the financial industry and who is aware of the growing issues facing our business.”
The new consultant, who heads an independent IT company, is on a retainer for server maintenance, according to Foster. “He watches the system for intruder alerts, possible breeches and system success at blocking the malware or other threats,” she says. “In addition, he provides other assistance, such as the instillation of our new malware software, on an as- needed basis.”
Besides hiring this IT consultant, Foster’s firm has assigned a team member to be its internal expert on cybersecurity. “She is tuned into various news feeds and regular updates on this subject,” Foster says. “Then, as everyone on our staff sees articles or additional information that we think might be pertinent, we channel it through her. This team member, in turn, has professional contacts to run the information by and verify that we are covered, or help her look for other updates to keep our client and company information secure.”
With or without a designated in-house cybersecurity specialist, an outside professional can help with continuous precaution. The engagement with Halpern Financial’s consultant, for example, includes a program of educating employees about data security, with updates about new threats. “We have ongoing cybersecurity training throughout the year,” says Sotudeh. “When the workspace was implemented, all of our employees were trained to use it securely. Procedures were established to ensure the most secure usage.”
Kies says his firm has an extensive array of new procedures implemented to boost cybersecurity. On the list are better firewalls; more-advanced anti-virus, anti-malware, anti-spam email filtering and archiving; a more sophisticated backup system for its servers; better password management features and password vault implementation. “Our IT firm also provides end-user training on common mistakes,” he says.
At Harbor Financial, the result of hiring an outside expert has been a two-step process to strengthen cybersecurity. First, the firm created a list of procedures that were already in place. “They included having strong firewall protection, robust anti-viral software and spam filters,” says Foster. “We use encryption software when emailing sensitive client information, and use tokens when logging onto Schwab."
The second step, new safeguards, includes more-extensive wire procedures and ongoing education for employees, who are reminded about taking care when opening files in suspicious emails. “In addition,” says Foster, “we have protocols for any work done remotely, we continue to move to more cloud-based software and we maintain cybersecurity insurance coverage.” As yet another precaution, Harbor Financial has separated its phone and Internet services.
Quote"When we took out a cyber policy in 2015, we discovered that some policies don’t cover ransomware." -Elyse Foster, Harbor Financial Group.
“We have learned that the threats to our company are very real and need to be covered by insurance,” says Foster. “However, we were surprised that these items are not covered in a standard business policy. When we took out a cyber policy in 2015, we discovered that some policies don’t cover ransomware [malicious software that blocks access to a computer system until the victims pays]. In the event of a breech, some policies might not cover our business loss of cash, for example, even though they might cover losses in client accounts. It is hard to keep up with the risk coverage when the risk itself is rapidly changing.”
Unfortunately, those changes don’t seem to be slowing, so advisers may find themselves needing astute advice themselves in order to avoid cyber catastrophe.