The battle against cyber threats is ongoing and ever-evolving. And while there is no "one-size-fits-all" answer to block every type of attack, being prepared can help firms mitigate the damage should they ever become the target of an attack. This session will look at the cybersecurity trends of 2023 and how wealth managers can protect themselves.
Transcript :
Justin Mack (00:07):
All right, everyone. Thank you so much for joining us for this Track three Session Cybersecurity Trends and Tripwires. My name is Justin Mack, WealthTech, Reporter for financial planning and host of the Financial Planning podcast, and is my honor to introduce today's panelists who are joining me for this discussion. I'm joined today by Vikram Chugh, Chief Operating Officer, Principal for Robertson Stevens, and John Cataldo, President Advisory Services and Chief Legal Officer for Integrated Wealth Concepts. Quick round of applause and appreciation for our panelists for joining us on a Tuesday. And we know that a cybersecurity, an important and complex topic and not always one, like a lot of other compliance topics that's the most comfortable to talk about because we know that if you get something wrong, there could be a lot of trouble for yourself, your firm, and most importantly the folks you want to serve. But with all this wonderful new technology that we've been talking about at Invest and everywhere else, there are more opportunities for potential attacks, potential slipups, things that maybe we should keep our eyes on, that we might lose track of as we try to rush to innovate. So with this, we know there's no one size fits all answer or approach to cybersecurity. It is very complex, it's very nuanced, and thankfully I have John and Vikram to kind of break down this topic for us today. So first things off, I just want to see where we are, the kind of the state of cybersecurity, which I always hate the state of questions because kind of big overarching. But as far as today, anything trends, new things that are kind of have your attention right now, and I have your focus as far as the work you're doing for yourself and your team. And Vikram, I'll start with you, which trends or focus areas have your attention right now on this topic?
Vikram Chugh (01:43):
So Justin, thank first and foremost, thank you for having me on this panel. Good afternoon, everyone. Today, as an industry, we produce vast amount of data. We store vast amount of data and we process this data. And as we are interacting with this data, we use vendors across the organization. We use not only our own servers, but third party vendors. We have employees at the organization that's interacting with this data. So it's critical to have policies in place that safeguard this data. And what makes this more unique to our industry is the fact that we work with clients financial sensitive financial information, as well as we have access to all kinds of PII. So with all that said, it is critical to have a good policy in place. And the few areas that we as a firm are focused on is to make sure that we have good policies and procedures in place around cloud storage, as well as making sure there are good data policies in place across the organization. Secondly, we are very focused on endpoint security. In today's hybrid environment, people are accessing this data across firm devices, across their personal devices. They're accessing it not only on the firm network, but also on their personal networks. So you need to make sure there is endpoint security in place across these devices. And last but not the least, cybersecurity starts with employees. So we are spending a lot of time training our employees across cybersecurity best practices.
Justin Mack (03:28):
Awesome, And John, same question to you. Where're your focus right now on the focus and topic of cybersecurity.
John Cataldo (03:34):
So I think that's, thank you very much, and I agree with you. I think that that's the right place to start is when you're talking about training, you're talking about endpoint security, keeping the doors locked, and I always approach cybersecurity simply as security. It doesn't matter if it's this piece of paper that's in front of me or if it's a piece of data that I can't see or touch. We have clients' data, like you said, it doesn't matter if it's on a piece of paper or electronic. We have an obligation to secure that 30, 40 years ago that security was locked doors, security cameras, the same logic is in place. All of that was implemented because they were best practices to prevent infiltrators from accessing your data. Just because it was predominantly on paper doesn't mean you had any less of an obligation. So I always try to help our internal folks understand it from the perspective of you have to lock down and protect the data that you have. It just so happens now that the balances have shifted and the vast majority of our data is electronic. And because of the internet, because of ways in that endpoint protection, people can infiltrate it from outside. Whereas if you had data on microfilm or you had data on backup tapes, they had to actually get into your building to get that. Those days are gone. So we start from that perspective. Then we always look at it as an evolving process. The criminals are running, they are running into your firewalls and they're going to try to break through them. So you have to constantly be aware of and improving your cybersecurity protection, whether it's through the endpoint, whether it is through firewalls, it's a constant race. So it's almost like continuing education. It's an ever evolving process.
Justin Mack (05:19):
Absolutely. And those are the very human aspects of how to create a strong, strong cybersecurity program and that education, that understanding that it has to be a collective effort. And I think at invests, we talk a lot about how the technology can be used to be more human, to make sure we're putting the human advice first. And it's an interesting kind of dynamic when you think about the cybersecurity or as you said, just the security question because I think about the very human reality of how we do this work. Remote work is here to stay, even as we work, go back to offices, it's not so much just work from home, it's work from anywhere. And that ability, that flexibility is really great. But I imagine it can also open the door to John, as you said, back in the day, people had to get into your building to get that stuff from you. Now, because we can work from anywhere, the ability is extended to criminals and folks who might want to target us. So how does remote work, our amazing ability to work from anywhere in the world, maybe open some cracks in the army that we would've created for our firm, otherwise?
John Cataldo (06:17):
Excellent question. So obviously it starts with the fact that you have more points of access, more points of use is going to result in more points of entry. So you need to have strong policies in place that ensure that those points of entry have data encryption that you don't res. You're not storing data locally. I actually had one person tell me about how somebody had moved to Mexico, didn't know that the advisor moved to Mexico and he had a local server in Mexico that he was storing his data on. It's like, no, no, no, no, no. Everything has to be stored off externally at our office in the United States and you could access it. He said, well, but that's slow. Sorry. That's the way it is. So it does start, like you said, with having strong policies in place and training people, helping people understand that because this is not going to be their natural forte. It's something that is very daunting when you talk about cybersecurity and all the different programs and systems and verbs and nouns that we use in that arena, that can be very confusing to people. So helping train about the importance of what it is, why it's important, and how they can protect themselves. And then the cross-checking, making sure that they have those protections in place.
Justin Mack (07:24):
Absolutely. Vikram, same question to you. Our ability to connect and really get things done from no matter where we are, that complicate things. And how are you responding to that?
Vikram Chugh (07:33):
This working from home hybrid environment has brought in a unique set of challenges for IT departments across the industry. First and foremost, people can work from anywhere. Mexico people are using their home networks to access this data. People are using public wifi, which is less secure than your work network environment. People are using personal devices to access this data. And as an organization, IT departments should incorporate all of these into their policies and make sure employees are trained on how to best use some of these policies. And it's easy to say yes, it's harder to say no. There are times when working remotely is more challenging, you know, want to download that data on your personal device. But as a good IT department, as a fiduciary to our client data, there are times when you have to say to say no. Just some of the other challenges that it brings. It's difficult. Again, there's a need for more collaboration when people are working remotely, whether you use Microsoft Teams, you use Slack. So the IT department needs to make sure that the firm's information security policies are implemented correctly across all these systems. And additionally, you want to manage and monitor that all your data is being stored in the most appropriate manner.
John Cataldo (09:09):
You touched on something that I think is really interesting and you touched on human nature. It's only human nature to want to download something or this is taking a long time, I can just download it, I can use it, I can upload it back up, or it's never going to happen to me. It's not going to be a problem. It's breaking down that human nature, that natural tendency to say it's not going to be a problem for somebody who's uneducated about this or unappreciative of the concerns that it raises. And that's part of that education training piece, but it's really that diligence of making sure that they understand why, not just not the what, but the why.
Justin Mack (09:46):
And you know what, let's stick on human nature a little bit, not just understanding why, but then getting folks in a very real way to care when at times maybe they think they shouldn't. I think about the work from home or working remotely or anything. For my home office, I work from home, it's great, but people's personal devices are still their personal devices. Say they use them for work from nine to five. At 5'O 5, they're off the clock and maybe they might get a little lax, maybe they might not do the things that they do during nine to five when they're just using their devices. And people don't think about the duality of everything. Everything that we use is cloud-based or Google shop. So if I'm using my Google account at work, great. If someone maybe slips up a little bit and gets a little lazy after work, that could create a problem. So how do we just get people to, like you said, not that understanding part, but to really take it seriously. If this is a device that you're going to use to interface with your customers and work with our organization, you've got to be vigilant 24 7 because, that's just the way it is. How do you drive that home and make people understand that on a way that's actually going to stick.
John Cataldo (10:50):
Help them appreciate the risk to them. And the risk comes in a lot of different forms for financial advisors. The risk is you're going to have a tough conversation with your client if their data is breached. You're going to have a really tough conversation with the Securities exchange Commission if their data is breached. And it's true, right? Advisors don't necessarily appreciate that. Risk employees the same thing. Understanding you have a job, you have a role, and we're asking you to do this. This is part of your job and this is what you're going to be measured on. So some degree of that as well. And then buy in from management. Management has to profess this daily in the way they act, in the way that they communicate and what they profess as the firm's important culture about it
Justin Mack (11:34):
For sure. And Vikram, we talk about that human part of it. It's naturally unfortunate. Compliance, cybersecurity, these topics have a negative connotation to them when they come up in the workplace. You know, get an email about something cyber cybersecurity related in the subject head. You think someone did something, someone's in trouble. We know that's not the case. It could be part of that component. How do you break through, let people know that this is as approachable as any other topic in our industry and make it something that maybe we can talk about with that negativity stripped away from it. And just that understanding, first and foremost.
Vikram Chugh (12:07):
Ultimately cybersecurity become begins and ends with people and with employees. No matter how hard an organization tries to protect their network, if people do not understand the importance of cybersecurity and following those practices, any best design program is going to fail. It begins with management, but it ends with employees. And there are some things that we've done in our organization which have resonated really, really well with employees. One is if there is a phishing email that an employee gets, they share it with the organization so that if somebody else receives a similar email from your CEO or CFO or from a supervisor who may not be immediately available to validate the email, how to respond. So we used to do cybersecurity trainings once a year. We've started doing those twice a year, and that's made a big difference. Every time we have new employees join the firm, we make them go through our cybersecurity program and make sure they understand our cybersecurity policies and corresponding risks. And finally, just from a cultural perspective, it's our fiduciary responsibility. It's our moral obligation to protect this data. Our clients have given us a lot of responsibility to deal with their finances as we help them manage their money, as we help them think about their life's objectives. We cannot succeed in this till we make sure we are indeed a custodian of their data.
Justin Mack (13:49):
Absolutely. Now this is trends and trip wires. We talked about a lot of the trends talk about one of the trip wires and a lot of what we've discussed is approaches to take within your organization, your firm, things where you can have, I guess a higher level of control about how things are going to play out. Let's talk about some of the people who you bring to your firm's family who you might not have that same level of control over your vendors, the folks you work with and contract with. Extremely important. It was even brought up in the case study this morning and in this morning's keynote, the fact that those are very, very close relationships. Once you announce that we're working with this person, they're as good as part of the family. So for the decision makers and for the advisors to take that hands-on approach with their technology and that kind of vendor relationship, talk to me about vendor management. How important is it to have that kind of squared away upfront? And what kind of interactions, questions should you be asking those folks as you start that relationship to make sure that your cybersecurity issues are handled? And Vikram, I'll start with you on the vendor management topic. What's the most important for that?
Vikram Chugh (14:49):
So again, in today's environment, we've work with multiple vendors to deliver our services to our clients. As we are working and as we are onboarding these vendors, most firms need to make sure that not only are they doing a full technical evaluation of the vendor that they're bringing on, but they also have a cybersecurity vendor due diligence in place. And we at Robertson, Stevens implemented this process two years ago. When we are onboarding a vendor, we want to make sure their cybersecurity policy is consistent with our needs and what we have promised to deliver to our clients. So that's kind of the starting point. And then the one drawback is that this does add time to onboard a vendor to our systems, but at the same time as a risk mitigation strategy, it's been well worth it for us as an organization.
Justin Mack (15:46):
That time investment can save even more time. If say something goes around, you don't put that time in, do that due diligence, the time or maybe money you lose on the backend is way more significant than the time you would put in upfront. John, your thoughts on the vendor management and getting to know those people that you're essentially welcoming to the family and pulling up a chair for them, right at Thanksgiving, once you sign that contract and make that big firm announcement, how do you approach that?
John Cataldo (16:09):
As long as they replace my brother at the table, they're fine. No, but it's the same logic. You start with due diligence and you have to have the right constituencies in your organization doing that due diligence. So it can't just be someone in the compliance department that is collecting all of this data, collecting SOC reports, collecting all of these things. There has to be collaboration in the cyber realm with your IT department, with your technology folks that can help you scope out the things that you need to be asking for. And then verifying, reviewing what is received in to ensure that this vendor does meet those minimum requirements. That's really an important piece of it. It can't just be scope it out once and then somebody in compliance or somebody in the department that might not have the really, the valued skillset is collecting this and looking at it on a threshold level. You have to have somebody doing a deep dive. And yes, that does take time, but it's the nature of the world today. And a lot of the larger vendors, even the smaller ones, they get that. They understand that and they have a program in place that they can provide you with that due diligence quickly. And there's another constituents who don't that we don't often talk about, but it's the clients, right? Our clients are in access. One, that we have zero control over. A common way that we see these problems are through phishing emails and things like that where somebody gets into a client's email and they send requests for money or for a wire transfer over. But educating clients about cybersecurity does help because they still are an entry point that has to be considered.
Justin Mack (17:39):
Absolutely, And then as a follow up, how hard is that? Because as we always talk about, there is just so much choice in the industry. There's new things coming out every day, there's reconfigurations of existing thing that show up and they're different and they're faster and they're better. There is so much choice. So if you are going through that process of getting to know your vendors, but you've got a million to go through, not only for the folks you're already working with. And something we also talk about is just having that conversation from time, not just doing it once at the outset, revisiting that, making sure things were still where they were the last time you checked. So once a year or multiple times a year. So with so much new choice and so much existing stuff in our stacks, how do you break that down in a way that just doesn't say, you know what, forget it. I'm going to set it and forget it. I'm going to trust my vendor. They say they've got my back, I don't have to worry about it. We don't want to fall into that trap. How you avoid it with so much choice.
John Cataldo (18:31):
So excellent question. I would say it's a little bit of both, right? You've always going to have some functions within an organization that you have longstanding relationships that because how embedded in the organization they are, how good they are, the quality of the service they provide, that they're going to be your longstanding vendors that there's probably not going to be a lot of change in. But then you also have to consider flexibility if you're in this business to provide financial services to investors. And that is an ever evolving and changing process. So you have to be able to provide them with the best in class service, whatever that your firm believes that to be. So having a look at what is out there, having some degree of open architecture is extremely important for that. But you have to do it responsibly. You have to decide, are we switching vendors? Are we adding a vendor? What does this mean? How do we roll it out and can they coexist together?
Justin Mack (19:23):
Absolutely. Same question to you.
Vikram Chugh (19:25):
Again, we are at a very interesting point as an industry in terms of our evolution. Just the amount of choice available to us or around delivering wealth management capabilities to our end clients is increased significantly. And we work with some more established vendors, some more up and coming startups. And as we are doing this and evaluating these vendors, as I said earlier, we want to make sure that they are all aduring to the cybersecurity policy that we've established as a firm and what we are committed to delivering to our clients. The one thing that we've done, again within Robertson, Stevens is our technology team works very closely with our compliance department as we are evaluating some of these providers. And for a provider to get onto our platform, they need to go through, as I said earlier, a technical evaluation as well as a complete kind of cybersecurity evaluation. And we need to confirm that it's consistent with the policies and proce procedures that we've set up. And ultimately we are in the business to deliver financial advice to our clients. We are a fiduciary to our client, and it's our job to be vigilant about this data. We need to work again as a management team, we need to work with our employees, but ultimately also want need to work with all our clients and make sure they understand why we are doing things the way we are doing them.
Justin Mack (20:56):
Absolutely. And I will open it up the to Q and A here in just a second. I want to thank both of my panelists for joining me here today. And before we open it for q and a, I'll let you think about your questions. Last thing I wanted to ask is really more of almost a philosophical question about how we think about cybersecurity. And the reason it comes to mind is as we've had this discussion and so many things you said have kind of touched on it for me, is that as a reporter, I think about how we talk about cybersecurity, how we've reported on it. In my first journalism job 15 years ago when I got into the industry, whenever a cybersecurity story would come up, it's some stock image of a guy in a hoodie on his laptop in the dark trying to hack your documents and all of that stuff.
(21:35)
This weird abstract thing that is so cliche that it's so far from reality, but I think it created something where the ability to take ownership of the cybersecurity issue in the way we've discussed it felt like it wasn't for me because I'm not going to go after hackers. There's no way I can help my organization. However, thankfully that has changed. Like you mentioned, John, it's not cybersecurity, it's just security. I think we're starting to see people within an organization see that individually they can have a huge impact on keeping their firm safe, their clients safe, taking ownership, the way they've taken ownership of things like social media or outreach or marketing or anything else. That also wasn't their job, but they took the ownership of it Slowly seeing people take that ownership and cybersecurity, how do we keep that momentum up and continue to break down that idea that cybersecurity is some guy in a hoodie hacking on his laptop and make it something real so we can really get our arms around it. Just thoughts on that education.
John Cataldo (22:29):
I think the educate your constituencies about how do people get in, who's doing the infiltration, what they can do to help. It's just like anything else. People need to understand it. If it's something, I'm not a technology expert, so my eyes glaze over when it's something very technical that we're talking about, but if it's presented to me in a way that I can understand my role and the importance of my role, I'm going to listen a lot more. So I think that's the best way to keep it top of mind in organizations.
Vikram Chugh (23:01):
I mean, we all lock our house. When we leave our house, we all have security alarms in place in our house. So the mindset around cybersecurity needs to evolve. It's not a guy in a hoodie. It's something that we all own as employees, as fiduciary to our clients. So it starts with adopting a policy. It starts with training employees and then making sure our world is moving, our industry's moving at a really fast pace. The hackers and cyber criminals are evolving as fast as technology in our space. So any cybersecurity plan that we put in place needs to be evolved to keep up with some of those trends in the marketplace. And correspondingly, we need to spend time with our employees and bring them up to speed with everything that's going on.
Justin Mack (23:51):
Fantastic. Any questions? Going once, going twice. In that case, I will return two minutes to all of you. I want to thank you all for joining us and another round of applause for Vikram Chugh. John Cataldo, my panelist today.
Track 3: Cybersecurity trends and tripwires
June 23, 2023 2:14 PM
24:08