Recent news that Internet hackers compromised U.S. government data on 4 million current and former federal workers earlier this year is just the latest in online security breaches making headlines. Some consumers wonder if they can trust digital gatekeepers at both public and private institutions with their personal and financial data.
“There have been so many high-profile cybersecurity breaches in the news, not just in the financial services sector, but more broadly, such as with Target,” said Laura Grossman, assistant general counsel of the Investment Advisor Association (IAA).
According to a June 2014 survey by IAA, ACA Compliance Group and Old Mutual Asset Management, three-quarters of financial compliance professionals listed cybersecurity as one of the firm’s top issues in 2014 – only 14 percent feared cybersecurity issues in 2013.
“If your business is not prepared to deal with potential cyber-attacks, [then] proprietary and other key information is at risk,” said David Tittsworth, chief executive of IAA. “And all firms, regardless of size or sophistication, must deal with potential cybersecurity threats resulting from employee behavior, whether deliberate or inadvertent.”
Protecting client data in the age of identity theft, hackers and cyber-attacks is serious for all financial advisors and their firms. The cybersecurity breaches taking place in the investment industry have many financial advisors asking if they are doing all they can to keep their business and clients safe from risk. Research shows the greatest risks are from hackers and criminal insiders, while one of the most significant costs is lost business.
“We take a comprehensive approach with clients, which means we are potentially holding very sensitive data that is basically the key to our clients’ financial lives,” said Financial Planning Association President Ed Gjertsen II, who is also vice president of Mack Investment Securities. “Outside of Social Security numbers and dates of birth, we may have information on where they keep their accounts and what the account numbers are.”
Financial advisors understand that they cannot have their reputation damaged as a result of a cybersecurity breach. To safeguard that information and keep it out of the hands of predators, advisors are evaluating their internal systems and procedures. This means changing their systems and procedures to protect clients and their own firms from the rising incidence of cybersecurity breaches. The Securities and Exchange Commission has even stepped in, issuing a detailed checklist of questions of what it expects firms to provide in terms of cybersecurity protection.
“Every financial firm in the Untied States, and probably in the world, should spend some time reviewing [the alert],” said John Reed Stark, managing director of Stroz Friedberg, a global digital risk management firm. “It is the prism through which the SEC is viewing cybersecurity. Firms should take advantage and use this inside information to prepare for the regulatory onslaught that is clearly beginning.”
Changes being made include: the setting up of new verifications codes for business functions, such as money requests; the initiating of newer, safer passwords; and the implementation of a ban on placing client data on laptops. Many financial advisors are also putting cybersecurity audits in place to help ensure that their company information, as well as their clients’ information, is well protected from criminals lurking online.
“The more sophisticated the hackers become, the more sophisticated the cybersecurity presentation methods have to become,” said Gjertsen`.
Canon Financial Institute offers financial advisors advice when it comes to protecting against cyber attacks:
Know your data risks. What can you do to protect your clients? The first step is to assess your risks. Here are the most common in the financial services industry:
- Malware. Malware is still an incredibly popular cyber-attack tool. Hackers will find ways to install malware in your systems, from a friendly looking link on a webpage to a phishing email. In fact, phishing has become more targeted than in years past. Instead of mass emails, hackers will hone in on a few people who have what they need and make the emails look incredibly legitimate.
- Hacking. Similar to malware, many cyber criminals will use basic hacking skills to break into your systems. Sadly, many firms make this easy on them by having lax password protections and other identification methods. Sometimes, hackers find that it is as easy as walking through the door.
- Internet of Things (IoT). Unsecure cloud computing is a common concern for financial advisors. The cloud is a part of the Internet of Things, or the vast array of Internet-connected devices we have today. The IoT introduces a variety of new elements, which makes security more challenging and prone to errors.
- Employee/client mistakes. Sometimes, the greatest threat of all is an honest mistake. Employees often leave laptops, USB drives and other tech on public transit or in the parking lot. A client could leave his/her account logged on in the public library. All it takes is one slip-up to expose your business.
How to protect your clients. Understanding risk is the first part in protecting your clients. Once you accomplish this, you’ll be able to take tangible steps forward. Here is how you can protect your clients’ sensitive data:
- Think simple. Sometimes, the best course of action is to avoid storing private data online. If there’s no actual reward in hacking into your systems, you won’t be a target. Of course, this is easier said than done (you do have to store something on computers, after all), but you have options. For starters, consider keeping the bare minimum online, like contact information. The rest can be filed in an office. If you need to have data online, consider keeping it in different servers, in different accounts or computers, and in different files.
- Better authentication. Passwords are there for a reason. Even so, many firms have poor password protection, such as “Password1234.” These are easy for hackers to figure out. Instead, come up with better, multi-faceted authentication. Stronger passwords are a must, but you can add in a security question, a computer ID (you can only access the account from your computer, for example) or even biometrics, like a fingerprint or eye scan. Most importantly, don’t write your passwords down on a piece of paper and tape it to your computer monitor.
- Improved training. If you work with other financial advisors or employees in the same office, you should focus on improved training to beef up your cybersecurity. As noted previously, many breaches are the direct result of employee errors. So, train your team to have strong password protection, common sense online and an understanding of cybersecurity.
- Detailed policies. The next step you can take is to revamp your existing policies and procedures. As yourself how your firm responds to suspicious emails, how you manage third-party vendors, and whether your social media policy can affect cybersecurity.
Every financial advisor needs to take cybersecurity seriously. Clients may not be loyal to an advisor if your firm is attacked. After all, it hits a vulnerable place – their money. The tips above will help improve cybersecurity, but the process doesn’t end there. Financial advisors will continuously have to focus on security and implement new programs and procedures to ensure their firms’ data and client information is well protected from the next cyber attack.
Summit Brokerage Services is part of Cetera Financial Group, RCS Capital Corporation’s (NYSE: RCAP) retail investment advice platform.
This blog and website are for informational, educational and discussion purposes only, and the owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. Summit Brokerage Services, Inc., Summit Financial Group Inc., and any of their affiliated entities and principals are not a law firms or an accounting firms, or substitutes for an attorney or accountant. Although topics may be discussed on this blog that may involve legal, accounting, or investment issues, nothing on this blog shall be deemed to constitute the practice of law, legal advice, investment advice, and/or tax advice. Summit Brokerage Services, Inc., and its affiliates do not, and cannot provide any kind of advice, explanation, opinion, or recommendation about possible legal rights, remedies, defenses, options, selection of forms or strategies. The content on this blog is “as is” and carries no warranties. You should consult an experienced professional regarding tax consequences of specific transactions.
No reader should act in reliance on anything discussed in this blog without prior consultation with a licensed professional who is qualified to evaluate the reader’s individual facts and circumstances and offer an informed professional opinion with respect thereto. If any reader takes action or makes decisions based solely on the information on this blog without prior consultation with a qualified, licensed professional, the reader does so at his or her own risk and agrees that Summit shall have no liability resulting from such unilateral action or decisions by the reader.
Summit makes every effort to provide accurate and truthful information in its posts on this blog, but in no way expressly or impliedly warrants or guarantees the accuracy of its postings and/or the information posted here by others. All information is believed to be from reliable sources, however we make no representation as to its completeness or accuracy.