Last year's spectacular cybersecurity attacks are more than just headline-grabbers, they are a reality check for advisors who believe they could never be targeted for a hack. It is worth a look at a few of these breaches so that registered investment advisors (RIAs) can understand the keys to preventing similar incidences from crippling their firms and devastating their clients.
J.P. Morgan And Other U.S. Financial Institutions
Dubbed the largest theft of customer data from a U.S. financial institution in history by prosecutors, J.P. Morgan was attacked repeatedly from the same source from 2012 to 2015, resulting in the theft of data and personal information of more than 80 million customer accounts. The thieves were also responsible for cyberattacks into six other major banks, Fidelity Investments, online brokerage firms ETrade and Scottrade, software companies and financial news sites such as Dow Jones, the parent company of The Wall Street Journal. The thieves made and laundered millions of dollars resulting from these attacks through a vast online network that included fake antivirus schemes, pump-and-dump stock schemes, Internet casinos and a Bitcoin exchange.
U.S. Office Of Personnel Management
The attack on the U.S. Office of Personnel Management (OPM) is one of the biggest breaches ever of U.S. government systems, with the addresses, social security numbers, fingerprints, health and financial details of nearly 22 million people stolen during the summer of 2015. The head of the agency resigned in July 2015, and its chief information officer resigned in February 2016. Though it has never been publicly confirmed, Chinese hackers are believed to be responsible.
FBI Portal Breach
In November, the Law Enforcement Enterprise Portal shared by FBI and the police was hacked by the same cyberthieves believed to be responsible for breaking into CIA Director John Brennan's personal email account earlier in the year. The hackers accessed information on arrestees as well as data from private email accounts of FBI Deputy Director Mark Giuliano and his wife. The exact numbers were not disclosed, but the attack has been characterized as one of the biggest law enforcement breaches of 2015.
Though these high profile attacks happened at organizations that could deliver a high return on investment for the cyberthieves, it is a mistake for advisors to assume that they are off the hacker radar screen because they are too small to be worth the risk. One RIA managing $500 million in assets may not be incredibly lucrative to an enterprising hacker seeking a profit on the dark web, but 100 RIAs with $500 million in assets each certainly are. A single firm managing the wealth for a select number of very high-profile individuals and families is similarly desirable. As the J.P. Morgan and FBI portal attacks show, hacks do not necessarily happen as one-time, siloed events, and may take months or years to fully reveal the extent of their damage within an organization or industry.
These hacks underscore that when it comes to cybersecurity, what is being done today is not enough. With today's open systems and proliferation of Web-based applications, RIAs need policies and tools that can address breaches. Additionally, regulatory compliance can add another layer of complexity for RIAs who want to lock down their systems. So if organizations with deep pockets cannot protect themselves, what is a growing RIA to do? For starters:
Encrypt and secure all email. As both the OPM and FBI portal breaches demonstrate, email is the preferred hacker entry point. The RIA's first defense against cyberattacks is to encrypt and secure all inbound and outgoing emails. Email encryption dramatically limits the hacker's ability to infiltrate the firm by flagging and quarantining all suspicious communications.
-
Limit what employees can do and use. RIAs that permit bring your own device policies do so at their own risk. Allowing access to work email and cloud-based systems from personal or unauthorized devices gives hackers an unsecured and unmonitored entry point into the firm. As cyberattacks continue, RIAs will find that insistence on firm-authorized encrypted and password-protected devices for all transactions is not just a best practice, it is sound business policy.
-
Use best-of-breed technology. Outdated technology may seem penny-wise, but it is no match for the sophistication of today's malware and hacks. As part of ensuring that their systems are up-to-date and secure, RIAs need to understand what is required for accessing and using data in their Web-based applications so that it stays protected.
-
Have cybersecurity policies that account for growth. The goal of any RIA is profitable growth, but as firms get bigger, the threat of a breach increases as well. This is partly because a larger staff has a greater potential for non-adherence to policy. The threat also increases because bigger organizations are more likely to be in a cyberhack's crosshairs. As advisors scale their operations to account for growth, cybersecurity policies and protocols must evolve as well—the needs of a single office RIA with a small staff will be vastly different from a multi-office, multi-state firm.
-
Monitor, monitor, monitor. The best cybersecurity protocols on paper are only as good as the monitoring done to ensure adherence. Advisors cannot solely rely on the technology for prevention and monitoring—someone needs to be watching. Without ongoing oversight of all transactions, RIAs have no assurances that their systems are secure, particularly after a breach has occurred. As the FBI portal breach shows, it could be months later before the hack fully plays itself out.
If there is one thing RIAs can learn from the top hacks of 2015, it is that a cybersecurity policy is only as good as its execution. Though there is not a one-size-fits-all solution to ending cyberattacks, advisors can start by executing on their current technology policies. Breaches occur when sound policy is not observed and when no one is minding the store. And as some of the world's biggest organizations can attest, execution is often harder than one might think.
Wes Stillman is CEO of RightSize Solutions, a provider of intelligent cloud technology and business management solutions for advisors. He can be reached at [email protected].