“We’ve found that when presenting training in context of the home computer and personal devices, it resonates much better,” Watanabe says. “They’re thinking about their own activities and using their personal devices on a daily basis.”
Financial firms are behind in implementing and updating their data protection, disaster recovery and business continuity plans, Attias says.
“It’s more than making sure that you have a backup for your systems or that information is stored in a secondary location,” Attias says. “Data protection means that you’re making sure information isn’t being misused or accessed by the wrong people. People everywhere are transferring information that they shouldn’t be transferring via email or attachments. The SEC wants to see a sectioning off of certain classes of data. Firms are going to have to monitor e-mails and track the way files are shared.”
Third party software and technology vendors are also an area of concern, says Attias: they must be properly vetted for their background and to make sure they are using technology that is secure and up-to-date. Regulators may examine a firm’s vendor relationships, Attias says.
“We’re at the point where financial services IT providers are going to have to have some sort of certification that they have done their due diligence in compliance and security,” Attias says. “Really, not just the IT providers, but the application providers, the janitorial service providers, the painters — to some extent, everyone should be vetted, and there has to be some plan to separate them from the client data.”
Regulators are prepared to enforce these expectations. In September, the SEC fined St. Louis-based registered investment advisor R.T. Jones & Co. $75,000 for a breach that exposed private information of around 100,000 individuals, after it was found to have lax cybersecurity oversight.
“That case was a game changer,” Watanabe says.”After the case, RT Jones Capital suggested that firms need to have specific cybersecurity procedures, a response plan, oversight and review. That took the SEC’s language from guidance to mandate.”
Like financial technology, cybersecurity solutions are also rather young and fragmented, which can lead to vulnerabilities as disparate pieces of software and hardware like firewalls, malware and virus detection, and multi-factor user identification are used in conjunction without being centrally planned and implemented.
“This is all kind of new territory for advisors, they aren’t in the security or compliance business,” Attias says. “Tech is evolving very rapidly, there are more types of devices, and in response firms are locking things down. They’re limiting the applications and devices their employees are using because that’s the path of least resistance. That’s not a good solution because younger clients and advisors want to access the technology. IT providers, ideally, are all about unlocking the potential of advisors through technology in a secure and controlled manner.”