Cybercrime presents a significant risk for financial advisors, security specialists say, even as many firm leaders make customer data security a lower priority.
So low a priority, in fact, that data shows that 45 percent of U.S. financial companies have been hacked by data thieves already.
The problem? Investment companies aren’t paying attention to basics, cybersecurity experts maintain.
Service Now said in a survey on financial services institutions that nearly half have experienced a data breach. Don’t expect things to get better overnight. Service Now said that these attacks are not going away, in fact, they’ve increased in volume and severity.
“There’s been a 23 percent increase in cyberattack severity over the last 12 months,” Service Now said.
Yet financial institutions don’t seem to be taking the threat of cyber-theft as seriously as security experts advise.
In the Service Now study, 37 percent of financial services breach victims knew they were vulnerable before they were breached.
Additionally, 47 percent of financial services breach victims said they were breached due to a vulnerability for which a patch was available.
Erin Illman, an attorney and co-chair of Cybersecurity and Privacy Practice Group at Bradley Arant Boult Cummings knows that data breaches can put firms at risk.
“Those risks include not only the loss of time and money, but serious damage to reputation, as well.”
A Tale Of Two Outlooks
According to a 2017 online survey, conducted by the Investment Adviser Association, ACA Compliance Group, ACA Insight and Old Mutual Asset Management, 86 percent of investment advisors rank cybersecurity as the hottest compliance topic, with 76 percent of the respondents identifying an increase in the amount of testing for cybersecurity, privacy and identity theft.
“However, 20 percent of those same respondents said they did not have a stand-alone cybersecurity policy,” Illman said. “While some financial advisors are re-assessing their cybersecurity and privacy policies, implementing multi-factor authentication, flagging suspicious activity, and taking steps to address these risks, many still lag behind in investing the time and resources to appropriately address these daily cyber-threats.”
Given the nature of data that advisors handle on behalf of their clients, it makes sense that financial services companies are a top target for cyber theft, year after year.
Even with securities in place, Salvatore J. Stolfo, a Columbia University computer science professor says data breaches can still occur. “Advisors see large financial firms such as Equifax and JP Morgan Chase make headlines for falling victim to cyberattacks,” he said. “Regardless of a wealth management firm’s size or how much they’re spending on securing network endpoints, breaches can still occur through social engineering, phishing campaigns, and even on mobile devices.”
It’s not that advisors don’t take it seriously, Stolfo said. They’re stuck in a mindset that is focused on traditional, prevention-led security strategies.
“The problem with this prevention-centric approach is that there are no mechanisms in place to address the inevitable: sooner or later, a cybercriminal is going to penetrate your defenses and gain access to something they shouldn’t,” he said. “And too many firms invest in security that cannot properly address what happens to documents once they leave the security of the enterprise network, to third party contractors, vendors, and partners?”
Not Acing The Basics
Robin Lee Allen, managing partner at California-based Esperance Private Equity said that the financial services industry lacks too many of the basic security features needed to keep data safe.
“The problem is not the breaches themselves, which may be impossible to avoid, but lack of internal firewalls and encryption on the servers,” Allen said. “Internal firewalls make hacking cumbersome and time-consuming. Server encryption ensures that whatever data an intruder gets is ultimately useless.”
For example, EPE’s email requires two passwords for access, plus two-factor identification. “The server is encrypted, even to the administrator,” Allen said. “All decryption occurs locally upon login. That makes it harder for fraudsters to get into the system.”
How can investment advisory firms escape that 45 percent unprepared category? Start with these tight cyber-security steps from Bradley Watts, a risk management specialist at Graham Company.
— Implement training and develop a response strategy. “The training should effectively teach employees to recognize social engineering and phishing threats,” Watts said. “Insurance brokers can develop a response strategy to eradicate a cyberattack as quickly as possible.”
— Implement full-disc encryption. This would protect sensitive information by converting it to a file that is difficult for bad actors to access. “Employees should never access these files on public computers or unsecured Wi-Fi networks,” Watts said.
— Get real-time safety. Download security software that automatically updates to ensure employees’ devices have real-time protection.
— Lock it up. Requiring screens to auto lock protects employees’ devices from unauthorized users if they are left unattended.
Require strong passwords for employees. “This may be the most common tip, but even one employee with a weak password can jeopardize a firm’s confidential information,” Watts said.
Clearly, investment advisory firms have some work to do to better secure client data. Job one is to recognize they have a problem in the first place.
Brian O’Connell is a former Wall Street bond trader, and author of the best-selling books, The 401k Millionaire and CNBC’s Guide to Creating Wealth. He’s a regular contributor to major media business platforms. Brian may be contacted at email@example.com.
© Entire contents copyright 2018 by AdvisorNews. All rights reserved. No part of this article may be reprinted without the expressed written consent from AdvisorNews.