What RIAs should learn from BlackRock's data leak

Wealth management companies are collecting more data about clients than ever before, intending to transform how advisors serve clients.

But in the wake of the BlackRock’s massive data leak, questions arise about how well financial services firms are securing sensitive data. With the responsibility of securing client data resting on RIAs, navigating a complex world of increasingly complicated partnerships between firms can be tricky for advisors as breaches come with crippling consequences.

In BlackRock’s leak though, advisors found themselves exposed. The fund giant inadvertently released information on thousands of financial advisors, including names and email addresses of advisors who buy its ETFs on behalf of customers. LPL Financial was hit the hardest by the leak with 12,000 of its advisors affected. Envestnet — which inked a partnership deal with Black Rock in November — did not release how many of its 90,000-plus advisors were affected.

Data breaches hit a record 1,579 incidents in the U.S. alone in 2017, and financial services firms accounted for 8.5% of all attacks, including banks, credit unions, credit card companies, mortgage and loan brokers and investment firms. The SEC recently released a risk alert, notifying advisors to pay closer attention to handling sensitive information regarding clients. The regulator’s Office of Compliance recommended installing mandatory cybersecurity patches to protect company devices from hacking and wiping all devices locally if they’re lost or stolen.

SEC Chairman Jay Clayton committed to increasing advisor reviews to respond to media and Congressional criticism that the agency needs to enhance industry supervision, adding cybersecurity will remain a top concern.

“Cybersecurity protection is critical to the operation of the financial markets,” the agency wrote in a its 2019 examination priorities. “The impact of a successful cyber-attack may have consequences that extend beyond the firm compromised to other market participants and retail investors, who may not be well informed of these risks and consequences.” Examinations will review proper configuration of network storage devices, information security governance and retail trading information.

blackrock4-2016.jpg
Pedestrians walk with umbrellas in front of BlackRock Inc. offices in New York, U.S., on Friday, April 12, 2013. BlackRock Inc. predicts Canadian 10-year benchmark bond yields may fall to the lowest since at least the 1950s as a sputtering economy douses expectations the Bank of Canada will increase borrowing costs this year. Photographer: Scott Eells/Bloomberg

The SEC’s Office of Compliance Inspections and Examinations completed 3,150 examinations in 2018, the most recent data available, a 10% increase over the prior year period. The office is expected to increase the number of firms it will examine in 2019. Compliance expert Todd Cipperman projects at least 20% of advisors will be examined this year, up from 15% in 2018.

Regulators are also handing out penalties for cyber oversight missteps. The SEC fined Voya $1 million for failing to protect customer records and addressing weaknesses in its cybersecurity policy after intruders accessed the personal information of several thousand customers in September. It was the first ever action under the Identity Theft Red Flags — eight years after it took effect.

RIAs need to start with the data, says Heidi Shey, principal analyst with Forrester.

“Understanding the value of data to the business and how sensitive data needs to be handled can go a long way towards building a stronger culture of data security across the company,” she says.

Elevating data awareness among the workforce can help people make better decisions about data use and handling, Shey adds. “Ask who needs access to this data and why. Limit access to those who need it to do their job, and determine the appropriate handling and protection for this data to fulfill those needs and other necessary requirements.”

For BlackRock, the problem began when an employee tried to post sales-related information to an internal CRM-related system, according to the firm, but posted it on iShares.com instead.

The spreadsheets also showed the amount of assets each advisor managed in iShares ETFs. For example, one spreadsheet categorized advisors as “dabblers” or “power users,” apparently in reference to how much of the firm’s ETFs the advisors uses on behalf of retail clients. One column noted their “Club Level” including the “Patriots Club” or “Directors Club,” according to Bloomberg, which reviewed the spreadsheets.

“Advisors are going to want to know how BlackRock is fixing this and what might still be potentially out there and at risk,” says Wes Stillman, CEO of the cloud-based cybersecurity firm RightSize Solutions.

“The inadvertent postings occurred due to human error,” a BlackRock spokeswoman says. “There was no security breach and no compromise of BlackRock systems.

“The information was industry-standard, CRM in nature, and was used by our sales teams in service of those advisors,” says the BlackRock spokeswoman. “No information about financial advisors’ end clients was included. And no sensitive personal or financial information about advisors or anyone else was included.”

The world’s largest asset manager says it determined the issue is limited in scope, after performing multiple systematic reviews of the hundreds of thousands of web pages and reports on its website, according to the spokeswoman.

“This breach is relatively minor in scale compared to some of those that have hit headlines,” says Julie Conroy, research director at Aite Group. “But certainly no less damaging to BlackRock’s relationship with its advisors.”

Although the data is mostly publicly available on FINRA BrokerCheck records, the leak may still be potentially harmful. The advisors impacted will be at heightened risk of spear phishing attacks, since their names, email addresses and employers are now likely for sale on the dark web, Conroy says.

To its credit, BlackRock has taken all the right steps to remedy the situation, says Conroy. Too often firms prolong their time in the headlines by eking out information, or poorly handling remediation to affected parties, which only prolongs the time they are in the negative spotlight, she says.

“Any important thing to do post-breach is to make sure to acknowledge the full scope of the breach, apologize, and deploy controls to ensure it doesn’t happen again,” Conroy says.

Third-party vendors are also a worry for RIAs that use outsourced products, says Stillman. “The data is not in a server in a closet somewhere like it used to be,” Stillman says.

Even if they don’t understand the technology entirely, RIAs still need to trust their gut, Stillman advises. “Advisors have to depend on a third-party vendor meaning due diligence becomes absolutely critical. If the risk level is too high, advisors have to walk away.”

For reprint and licensing requests for this article, click here.
Data security Data governance Cyber security Data breaches SEC regulations BlackRock SEC Practice Management Resource Center
MORE FROM FINANCIAL PLANNING