Hacking Attacks Shift Security Paradigm for Broker-Dealers and RIAs
Officials at the Pentagon and the military community have expressed outrage at the recent hacking of the U.S. government’s Office of Personnel Management (OPM). This cyber-theft, which has been attributed to China, may have resulted in the theft of sensitive, personal data for millions of service members and civilians who applied for security clearances over the past decade or more.
This incident is only the latest in what seems like a never-ending series of cyber-security failures that have hit firms in almost every industry including retail (Target), healthcare (CareFirst) and financial services (Morgan Stanley).
Broker-dealers and RIA’s must change their way of thinking about cybersecurity, especially regarding potential impact to clients. It is only a matter of time before a data breach results in serious financial losses for the clients of a broker-dealer or RIA.
While experts say that it is almost impossible to make yourself 100% secure, increasing your preparedness will certainly reduce the risk that your firm becomes a victim.
This is even more serious in light of the pervasiveness of hacking attacks against wealth management firms.
Cyberattacks Have Become Ubiquitous “Hackers are becoming more sophisticated in conjuring up new ways to hijack your system by exploiting technical vulnerabilities or human nature.“
— Kevin Mitnick, former hacker turned cybersecurity expert
The SEC recently published the results of an examination of 57 broker-dealers and 49 registered investment advisors (RIA’s) to assess their vulnerability to cyber-attacks. Perhaps the most startling finding was how many of the broker-dealers (88%) and RIA’s (74%) acknowledged having experienced cyberattacks, either directly or through one of their vendors.
Sending client information out via unencrypted email is one of the ways that nefarious criminals can steal key pieces of information they need to commit cyber fraud. Justin Kam of National Compliance Services says “Either don’t send private information over email, or consider encrypting the information.” Advisors should use a secure portal that encrypts emails to avoid these potential leaks.
Written Security Policies Are A Must While large percentages of broker-dealers (93%) and RIA‘s (83%) have written cybersecurity policies, only a few (30% for b/d’s, 13% for RIA’s) include a methodology for determining their responsibility for client losses and even fewer (15% for b/d’s, 9% for RIA’s) offer specific security guarantees to protect clients against such losses.
Will there come a time when wealth management firms have to provide the same guarantees against criminal loss as credit card companies?
If so, then they will need cyber risk insurance, a new category of insurance for business owners that covers expenses associated with data breaches, as explained by Lindsay Baker from Commonwealth Independent Advisor.
Baker stated that a well-designed cyber risk policy should cover costs for:
- Forensic investigations to determine what data was exposed and who must be notified
- Credit monitoring services for impacted clients
- Hiring a public relations expert to help repair your business’s reputation
While many of the recent headlines have concerned attacks or breaches from outside sources, firms should not ignore internal breaches resulting from employees accessing data without authorization or otherwise misappropriating or misusing data. Attention must be given to protecting systems from external threats, but it is still important to guard against the many instances of internal breaches.
Technology can be leveraged to help monitor a firm’s internal users. According to Everett James (E.J.) Sutherland, Chief Information Officer of Commonwealth Financial Network, they are investing in big data, including what Sutherland refers to as “intelligent Google-like predictive analytics” that can find anomalous patterns that identify cyberthreats and rogue employees.
FINRA’s new report reveals that according to both FINRA’s 2014 sweep and a 2011 survey of firms, broker-dealers identified the top three cyberthreats as:
- hackers penetrating firm systems;
- insiders compromising firm or client data; and
- operational risks.
“We don’t want to be one of those names in the news if we can avoid it,” stated Ryan Reineke, COO at Cambridge Investment Research. “Even using the best techniques, there’s always opportunities [for hackers] to find a hole.”
The Shifting Security Paradigm
Broker-dealers and RIA’s used to feel safe from cyberattack when hackers mainly targeted government sites or global corporations. Now with automated hacker toolkits available to anyone for download, the number of potential attackers has increased exponentially, along with their list of wealthy targets.
The paradigm has shifted from one of complacency to one of vigilance and oversight. Regulators have made it clear that cyber-defense must be part of a firm’s standard operating procedures and they will soon be cracking down on broker-dealers or advisory firms that neglect it.
Benjamin Franklin’s words on security were spoken over two hundred years ago, yet they still ring true today. Distrust and caution should be translated as “trust but verify” regarding any client data connected to or transmitted via the Internet. Times may have changed, but it is not too late for wealth management firms to raise their shields and protect themselves with the latest cyber technology and best practices. Ben would have wanted it that way.
Craig Iskowitz is CEO and founder of Ezra Group, LLC, located in East Brunswick, NJ. Ezra Group is a management consulting firm providing advice to the financial services industry on business and technology strategy, software development, and marketing.