Published November 15, 2017
The financial industry could be the most vulnerable sector to cyber attacks, with troves of personal information and financial information tied to trillions of dollars in wealth. Each day another high profile cyber attack seems to take place somewhere in the world. Recent examples of massive breaches include Equifax, the SEC’s Edgar database, the Democratic National Committee and even the IRS. Indeed, the threat not only applies to your personal email and networks, but also to every connected device, every client interaction, and even your entire vendor supply chain and related third-party systems.
In this digital era, it’s absolutely critical to adopt the mindset that you are under constant attack. Anything less (complacency), will render you a helpless victim. Hackers are driven by an unrelenting pursuit of acquiring personally identifiable information (“PII”) and get better at it every day. Therefore, you can think of cyber risk and protection as a moving target, requiring a sustained defense.
A Cyber Attack Could do More Damage than you Realize
State and Federal regulators, including the SEC, FINRA, the states of Alabama, New York, California and Colorado, just to name a few, have all enacted sweeping cyber regulations to protect the investing public from cybercrime. The burden falls on the gatekeepers of PII: financial advisors, RIAs, and BDs. We can expect more evolving regulations, increased compliance costs, cyber audits, and cyber enforcement actions and fines. Financial advisors have more at stake then they realize. One can imagine the embarrassment and reputational damage your advisory firm could experience by having to disclose on your ADV that you were the target of a cyber-attack resulting in a financial loss to an end client. Add to that a fine from the SEC and a client lawsuit. Robo or no robo, good luck trying to get a millennial client, or any client for that matter, after that. As for fines, once that precedent takes hold, we can expect the SEC & Finra to exploit that new source of revenue!
While it’s safe to assume that we live in a world of perpetual fear and insecurity when it comes to cyber risk, here are five things all financial advisors need to do right now to prevent cyber attacks.
- Add a line item in your operating budget for Cyber Risk Management. Cyber threats are a moving target – hackers are constantly evolving and mastering new methods of attack. Just getting virus protection is not enough. You need a sustained cyber risk management effort. Start with $10,000 – $20,000.
- Designate a Chief Information Security Officer or “CISO”. This role is gaining much more prominence and from my research it appears to be in short supply. You may be tempted to slap that title on an employee, but the regulators are going to require that this person be duly qualified. This is why the outsourced third-party option becomes attractive. That being said, the CISO’s responsibilities include ensuring employee awareness, secure communication practices, regulatory compliance, updated policies and procedures, third party tools, disaster recovery, business continuity plans, and on and on.
- Get cyber insurance – NOW! A good place to start is by reading your E&O and business insurance policies to understand exactly how and what you are covered for. Don’t assume your current policy covers you for cyber – you may need to add a rider. Read it carefully, confirm everything with your carrier and document that you did so. It’s probably a good idea to do this once a year. Pay careful attention to exclusions, deductibles, legal support, coverage of client losses, and the costs of remediation.
- Enhance your policies and procedures to include a Cyber Risk Management Plan. I can assure you, when the regulators come knocking with a random inspection, they’ll be asking to see this document. The plan should include what tools you are using to prevent cyber theft, a plan for penetration testing, how your staff handles PII, an incident response plan (including related workflows and reporting requirements to law enforcement agencies and regulators), staff training, vendor management, etc.
- Promote a culture of cyber risk awareness with clients and employees. Prevention through training (and paranoia) is simply the strongest barrier against crime. Understanding what a phishing email attempt looks like in its various forms, or effective methods of password management and dual factor authentication are practical places to start. Employees should also be given restricted access based on their role in the firm. As for clients, they should only be communicating with advisors through secure, encrypted channels, and exercise care when sending PII.
In short, as fiduciaries in the independent space, where trust is the underpinning of our core beliefs, the stakes are high and advisors are facing potential risks they aren’t aware of or don’t understand. From my research, survey after survey reports findings that advisors are unprepared to properly deal with today’s cyber threat. Yet, the associated risks are a clear and present danger.
So, add cyber to the list of costs, risks, and operational burdens an advisor has to manage if they pursue starting or managing their own RIA. Smaller RIAs continue to feel the strain of not having economies of scale and operational leverage, and we are approaching a tipping point ripe for consolidation. But, in my analysis, advisors can retain all of their economic pride and independence by partnering with a larger firm who has greater resources where things like cyber security are largely taken care of. That folks, is the best business model in our industry and continues to build momentum.
Give me a call. It’s a great pleasure of mine to make new friends, network and chat about the industry. There is always something to talk about.
Thanks, and all the best,