This year has seen some of the most high profile hacking attacks in the Internet age. You would think that the near daily distribution of politicians' emails would be enough to spur firms to increase their efforts to shore up their electronic defenses.
But this has not been the case.
While a recent study by the Financial Planning Association shows that cybersecurity is a priority for the majority of financial advisors, less than 25% have made adequate investments.
Trust Your Vendors (But Verify)
Is this finding surprising? Not at all, as I recently shared with Danielle Verbrigghe from Fundfire:
Most RIAs are absolutely not prepared for the cybersecurity risks they face today, says Craig Iskowitz, founder and CEO of the Ezra Group.
"Most [of them] believe that they've got their own policies and they can handle it, which is a recipe for failure, or they just trust their vendors without really checking."
Unfortunately, that trust is unjustified. According to the 2015 report from OCIE, the majority of broker-dealers (88%) and advisors (74%) have experienced cyberattacks either directly or through their vendors.
I always recommend that my clients conduct a quick check of their vendors' security certification and audit reports. Both the Service Organization Control (SOC) and SAS 70 make good starting points. However, it helps to read through the reports to understand the scope of controls tested and the results.
With the 2015 OCIE cybersecurity examination sweep results in, it is clear that the industry has work to do when it comes to vendor vetting. Only 32% of advisors require cybersecurity risk assessments of their vendors with access to firms' networks. If not managed correctly, that approach can expose firms to considerable risk.
Achieving True Cybersecurity
Regulations can be a primary driver of change for many RIAs. However, the mindset that regulations are the bar that needs to be reached can be dangerous. Since the government is historically slow to react to market disruptions driven by technology, they should not be relied upon to provide guidance to protect your company from the latest cybersecurity threats.
[…] while most RIAs are most focused on making sure they are meeting the regulatory compliance requirements around cybersecurity, that isn't enough either, he says.
"Cybersecurity is more important than the SEC," Iskowitz says. "It's not about getting by… It's about making sure your firm doesn't end up on the front page."
I would like to correct the record: I believe cybersecurity is just as important as the SEC. In addition to the SEC, wealth advisors also have to contend with FINRA's cybersecurity rules. The key point there is that meeting minimum compliance requirements may get you a checkmark during an audit, but it won't keep your firm out of the news in case of a breach.
Password management is usually a weak link in firms' security defenses. Researchers who have analyzed the millions of hacked passwords posted on the Internet have come to the conclusion that humans are incredibly bad at creating secure passwords.
If your firm wants to go beyond checking the requirement box and use passwords as an effective first line of defense, it must create and enforce a set of password guidelines.
- Consider encouraging employees to test their passwords against common ones used by hackers.
- Using passphrases can create credentials that are easy to remember but difficult to guess.
- Ideally, each user should have a different set of log-in credentials for every program.
- If security fatigue is setting in and your staff is complaining about needing to remember too many passwords, use a password safe application like 1Password.
Focus on Your People
The article goes on to make the valid point that cybersecurity isn't just about firewalls and technology. The weakest link is often human.
When it comes to cybersecurity, many RIAs have focused on protecting data, but haven't been as good at evaluating vendor relationships or protecting against other types of attacks, says Dan Skiles, board-member of the Financial Planning Association and president of Shareholders Service Group.
"Advisors certainly have been very focused on their data, protecting their data," Skiles says. "On the flip side of that we see they have not put as much focus on third party relationships."
Fraudsters impersonating clients, identity theft and ransomware attacks are all things advisors should watch out for, Skiles says.
Skiles makes an excellent point: social engineering, such as criminals impersonating clients or employees, is a critical vulnerability for many firms. What can you do to protect your clients and your reputation?
The first step is to have the right policies and procedures in place, particularly around money movement and data access. Criminals use sophisticated techniques to get access to past correspondence and can accurately copy a client's writing style. They can even time requests to match the pre-existing spending patterns or travel schedules. Consider requiring double-verification for any financial transactions. The simple act of calling a client for a confirmation after receiving email instructions to move funds can prevent a costly problem.
The second step is to train your staff to recognize and respond to attempts at social engineering. Fraudsters are highly skilled at using fear, urgency, stress and the human desire to be liked to get employees to disclose confidential information or step over rules. Awareness training is most effective when it is a part of an ongoing effort and firm culture, not just a one-time lunch seminar.
As with all preventative controls, consider the possibility of override by senior management. Sometimes, the demands of a big client combined with time pressure can cause account managers to side-step the rules. If your firm does not have a structured way to detect and address those instances, your controls are incomplete and less effective than you think.
One final note on identity theft. Wealth advisors know that they must protect sensitive client data like names, social security numbers and account numbers. What is often left out is other data accumulated through account aggregation or collected incidentally (such as the client's mother's maiden name). To protect the entire universe of personal and confidential data, as well as trade algorithms, it is critical that firms use strong encryption.
Prepare for the Worst – and Have a Plan
Many firms fall into thinking that as long as they pass the regulatory examination, their efforts on cybersecurity are good enough. Others mistakenly believe that they are too small and unimportant to warrant attention from hackers. My recommendation is to adopt the assumption that you will get hacked or sabotaged at some point.
With that starting point, it is wise to conduct a periodic assessment of potential damage. If hackers were to get in, what data would be exposed? What is your policy for granting user access rights? The best practice is to begin with the absolute necessary minimum and revisit user access permissions annually. What is your plan in the event a rogue employee decides to steal or misuse the data? Most people like to think that they are good judges of character and that their trust in employees is well-placed. However, addiction, stress and disorder-level pathology can cause even basically decent people to commit fraud.
By thinking through those scenarios, firms can stress-test their cybersecurity plans and be assured that they have done more than simply check the box.