Cybersecurity: What Advisors Need to Know
J.P. Morgan. Sony. Morgan Stanley -- these are just some of the more recent high profile victims of data breaches, which have advisors re-examining their own precautions.
Experts, however, caution that no system is impregnable.
"A couple of a years ago there was this idea that if I build a big enough wall, then I can keep people out. I think you should assume that your firm could be compromised and you should understand what that means," says Karl Schimmeck, managing director of financial services operations at SIFMA.
Here are some tips and reminders about what advisors and their firms can do to better protect themselves and their clients.
GET THE FUNDAMENTALS RIGHT
Industry insiders and experts say a good starting point to strengthen security measures is to understand your firm's existing policies and what protections are already in place. Next, review fundamental security precautions.
"Don't get up and walk away from your computer when there is sensitive data there. Don't share usernames and passwords. These things should be obvious, but they should be emphasized and reemphasized as well," says Greg Vigrass, CEO and President of Foliofn Institutional, which provides advisors with client management, custodial and reporting services.
Changing passwords and usernames on a regular basis is also recommended. If you receive an email with a suspicious link or attachment, then don't click on it. Finally, if you see something questionable, then say something to others in your firm and your clients if appropriate.
"If you don't do anything about it, then you're kind of contributing to the problem," says David Lyon, advisor and CEO of Main Street Financial, a Chicago-based RIA.
EDUCATION IS KEY TO PREVENTION
Experts say that it is imperative to stay up-to-date with regard to evolving and ubiquitous threats of cybercrime.
"Years ago, you used to get spam email scams. Today [the threats] are getting more sophisticated. When in doubt, verify. Get the person on the phone if you have to," says Schimmeck.
It's also important to consult with in-house as well as third party experts, says Schimmeck. For example, SIFMA offers a guide for best practices against insider threats. SIFMA and FINRA are also jointly hosting a conference on cybersecurity on Feb. 4 in New York.
Schimmeck says: "At the advisor level, they can ask also questions of the IT department to make sure they understand what the threats are. Are they using all the resources available?"
And just as advisors need to be mindful of security and the precautions, so do clients. Make sure they are conscientious of the same fundamental protections outlined above.
"It really becomes a multi-party responsibility. Everyone, including the client, has a responsibility in protecting that data," says Vigrass.
Schimmeck agrees, adding: "This is ultimately a team sport. The more we share with each other, the more we mitigate the threat."
BE PREPARED FOR THE WORST
A data breach can at a minimum create major headaches, and in worst case scenarios, be devastating for firms, advisors and clients. But proper planning for such an event can mitigate many headaches.
If you or your firm has not been the victim of cybercrime, you can still learn from other examples, Schimmeck suggests.
"You don't have to think long and hard to find a couple of scenarios that you think your firm should plan for," he says.
It's equally imperative to understand both your firm's policies and the law in whichever state you or your firm may operate in, says Schimmeck. And you or your firm should know the relevant contacts at various levels of law enforcement as well as those at third-party business partners.
"If you've outsourced IT, then be prepared for how to engage with them. Talk with them ahead of time. Pre-negotiate on how you would engage on these things so that if something does happen, you understand who does what," he says.
Vigrass agrees and emphasizes the need to engage business partners as quickly as possible following a data breach.
"I think it's best to act quickly to ensure that a bad situation doesn't get worse by lack of action or hesitation," he says. "As a custodian, if we are aware that account information has been compromised, we can restrict the account and prevent things from occurring in an account. Again, it requires that you know that."
For his part, Lyon urges advisors to be forth-coming with solutions and information to clients in the event of a data breach.
"A cybersecurity breach is going to be a massive inconvenience for people. There are going to be protocols that they will need to do, like closing a bank account and opening a new one. You can provide them with a list of things that they should or can be doing in the event of a breach," he says.
Lastly, Lyon says it's best to be transparent with clients about what happened.
"The more transparent you are, the more you'll be able to operate during a crisis situation. If you are not open and honest with people, then they will ultimately find out and it's better that they find out from you than from the newspaper."