The number of data breaches is skyrocketing. In the first half of 2019 alone, there were 3,800 publicly disclosed record breaches, 4.1 billion personal records exposed and an increase of 54% in the number of reported breaches versus the first six months of 2018. Although all industries have been affected, the volume of sensitive data and information that the financial industry stores makes them a prime target for hackers. For example, one of the most high-profile data breaches of 2019 was with Capital One, resulting in 106 million records being accessed by a hacker. Financial advisors and firms need to be aware of cybersecurity risks, and need to be prepared with a strategy to prepare for these attacks.
The Importance of Cybersecurity
No matter the size of the firm, the sheer volume of sensitive materials that is handled by the financial sector every day means that cybersecurity must be prioritized to protect clients. According to the FBI, in 2018 alone cybercrime victims lost $2.7 billion, but a data breach can cause firms and victims to lose more than just money. They also lose their sense of security. This translates to firms losing client loyalty and trust. The financial advisory business is built on this, so reassuring clients that their assets and information are secure is imperative.
To ensure that financial advisors and their firms are taking cybersecurity seriously, the Securities and Exchange Commission and U.S. state securities regulators are starting to crack down on financial advisors’ cybersecurity practices. Along with regular inspections, the SEC is now performing cybersecurity examinations. They are also charging firms that fail to keep client data safe. In September 2017, the SEC fined Voya Financial Advisors $1 million to settle charges regarding a data breach that compromised customers’ personal information.
The Securities Industry and Financial Markets Association is also getting involved in cybersecurity, and has worked with financial firms and government regulators to create simulations of real cybersecurity attacks. Cybersecurity certification is also being developed for firms and advisors, such as the Systems and Organization Controls certificate developed by the American Institute of Certified Public Accountants. This certificate validates a firm’s administrative, technical, and physical controls over cybersecurity.
Building a Cybersecurity Strategy
Cybersecurity is not a one-time cost. To ensure that advisors are aware of the risks, and that clients’ data is continuously protected, firms need to build, maintain, and invest in a long-term cybersecurity strategy. Key considerations for these strategies include the following:
Continuous Training and Procedural Updates
Much of cybersecurity prevention comes down to arming staff with enough knowledge to recognize threats and understand how to deal with them. Along with obtaining general cybersecurity certification, ensure that all financial advisors receive continuous in-house training on best practices and procedures, and on how to spot cyberattacks and wire fraud attempts. Criminals know the vulnerability of human error and will frequently attack the human element first. Unfortunately, most firms focus on technology solutions as the primary line of defense and staff training as the last. Keep all employees aware of current cybersecurity crimes and new data breach techniques. Update firm guidelines and processes constantly so that they incorporate the latest technologies.
Vendor Reviews
With their regular inspections and tests, the SEC has uncovered a common vulnerability across firms that can be easily rectified: third-party vendors are often overlooked in assessing potential cybersecurity threats. Although 63% of data breaches begin from a third-party vendor’s vulnerability, only 52% of firms have formalized security practices for vendors, making this an important area of improvement when preventing cybercrime. Every new digital tool adopted by a financial advisor increases the risk of a cybersecurity attack.
Ask about vendors’ cybersecurity plans, their vulnerability testing and what protocols they have in place if a data breach occurs. Technology vendors should maintain fully separate hosted environments across multiple data centers, use strong encryption and data masking, and be able to show they regularly test and audit against security best practices. Along with these technological security questions, ask about the vendors’ physical security controls at their tech company offices or data centers. These can include 24/7 security and video surveillance, backup power generators and data center compliance with standards like Tier IV, SOC 2, or ISO 27001.
Establish Electronic Communication Rules and Protocols
Phishing tactics are one of the main causes of security breaches. They are also one of the simplest types of breaches to prevent. Phishing is when hackers email a target from a known sender, use personal information pulled from public profiles and websites and trick their target into divulging sensitive data, or in some cases, money.
Within the firm, establish rules about electronic communication and protocols for protecting clients’ records, including the use of social media, and remote access to emails and customer information. The SEC has regularly observed employees storing and maintaining customer information on personal laptops, which do not have the same security measures in place as company computers. This seemingly simple act can expose client data to hacking risks. Another measure that can be taken to protect clients’ data is to establish a two-factor authentication process for clients looking to access funds or information. This reduces the risk of cloud and account hacking.