Cybersecurity breaches: When doing nothing won't cut it
If Equifax, the National Security Agency and the Securities and Exchange Commission are all within cyberhackers' crosshairs, it is safe to assume that advisors are fair game for a potential breach, too.
Even firms that think that they are too small to matter should think again. If a cyberattack happens at the firm’s outsourced customer relationship management system partner, portfolio management vendor or custodian, and clients’ personal information is compromised, where will those clients turn first to demand an explanation?
Advisors need to act swiftly when there is a cybersecurity breach. Doing nothing is simply not an option.
Advisors can use recent headlines to reiterate their own cybersecurity policies and procedures. If news on cyberattacks prompts the firm to make internal operational or information technology adjustments, explain this to clients.
For example, advisors can remind clients what to expect in firm emails. This could mean reviewing the type of information that is and isn’t shared via email.
Just as advisors might be targets of a breach, they might also be impersonated for a phishing attack on their clients. Advisors should spell out the steps that clients should take if they receive a suspicious email or phone call from the firm.
Additionally, RIAs may decide to ask for extra identification to validate requests for transactions via telephone. They may also begin flagging large withdrawals and following up to confirm transactions are legitimate.
These changes should be communicated to clients along with a brief explanation.
Clients expect registered investment advisors to use tech partners that will facilitate the wealth management process and safeguard their personal information for the duration of the relationship. In turn, advisors should demonstrate that they have taken care in choosing vendors that place a premium on cybersecurity.
Although RIA custodians do a significant amount risk assessment of their tech providers, advisors should not lean solely on custodians as a safeguard. This is particularly true of vendors that fall outside a custodian’s tech offering and as a result, may not be vetted to the same rigorous standards.
Conducting continuing due diligence on third parties is critical.
Advisors should periodically ask their vendors the following questions: Is my data stored in the United States? How are you encrypting data in motion, at rest and in use? What information do you pass along, and is it on a need-to-know basis?
Additionally, RIAs should demand daily communication from their vendors on cybersecurity enforcement. Although it may require additional work on the vendor's part, asking to see certain reports isn’t an uncommon request.
For example, advisors should review access logs, back-up reports, change logs and system and organization control reports, as well as the results of vulnerability testing and assessments.
Although clients don’t need to be updated on every cybersecurity milestone or upgrade, advisors should know how their hired vendors are staying on top of these issues in the event of a breach or crisis.
Wealth management is as much about information protection as it is about asset management and financial planning. RIAs are entrusted to manage hard-earned assets to achieve financial goals and to protect against downside risk, and that includes managing the risk of cybertheft of fraud.
This dialogue can be part of the progression of the client-advisor relationship and can be a differentiator for the firm. While communicating with clients about the firm’s cybersecurity protocols, RIAs can also educate clients about how to behave online to keep their information safe.
Throughout these discussions, advisors can convey confidence and make suggestions without getting overly technical or becoming clients’ IT help desks.
This might mean talking about firm cybersecurity efforts and then transitioning into, “Here’s some things you may want to consider … ” or “How do you store and keep track of passwords? Here's what we do here … ” or “No one at our firm can access your account unless they are using a firm-authorized device that is heavily protected. How do you access your account with us?”
Because hacks come without warning and can go unreported by vendors for some time, it is in RIAs’ best interest to be in regular communication with clients about their cybersecurity policies and protocols.
Don’t wait until a breach to communicate with clients. By then, the message may be too little, too late.
Instead, offer cybersecurity updates as a part of the normal workflow of doing business.
A word of caution: Take care not to over-communicate on cybersecurity, either. Proactive client updates should happen throughout the year but no more than quarterly.
Given the recent headlines, RIAs should examine their cybersecurity policies and procedures to safeguard against security breaches.
Most people understand that cybersecurity management is hard. What they don’t accept is complacency, especially from the firm or individual they have entrusted to manage their investments and family wealth.
This story is part of a 30-30 series on how technology is changing your practice. It was originally published on Nov. 10.