Advisors are getting wise to the specter of cybercrime, but still have two huge vulnerabilities, according to Ara Aslanian, founding partner and CEO of technology consultant Inverselogic.
In particular, advisors are susceptible to hacks through their technological relationships to third-party vendors, and through phishing scams and other vulnerabilities in their emails.
“We’ve seen an increase with our clients of phishing attempts, especially around Covid-19, PPP (The Payment Protection Program) and the stimulus packages that are coming out, we’ve seen several targeted attacks through emails,” said Aslanian. “I still see a lot of advisors and accountants sending and solicitng documents in a simple e-mail, including things like financial statements, tax documents and bank accounts, instead of encrypting that email and being conscious about what data they’re working with and who it is being shared with.”
This kind of vulnerability extends to inter-office chat and file-sharing platforms, said Aslanian: if they’re not encrypted, advisors should not be sharing clients’ financial information or documents across them.
Many cloud-based platforms like Google Drive do not have significant data-loss prevention controls.
“Some advisors aren’t even vetting their cloud providers to see what is being wrapped around the data they’re sharing – is it encrypted? Is it encrypted during transiton? In storage? Those are all key things the financial services community should be looking at,” he said. “What we’ve found is that a lot of firms are overlooking that. That puts the end-client at risk, and putting the end-client at risk is the same thing as putting the advisor’s reputation on the line.”
It’s important for advisors to know and understand the security steps being taken by their third-party vendors, said Aslanian.
Inverselogic has provided cybersecurity and IT consulting services to wealth and accounting firms for 25 years, said Aslanian.
Larger firms have more of a budget and have an easier time keeping abreast of changes in cybersecurity, said Aslanian, but a lot of companies who have been slow to adapt to technology, including some large ones, are still vulnerable.
“I see a lot of data going through regular email instead of being encrypted,” said Aslanian. “I see companies not using complex passwords, not implementing two-factor authorization, and not using a VPN for remote connections. That’s a gap that still needs to be filled. There are actual some smaller firms, with younger ownership and management, who are ahead of many of their larger competitors.”
The financial industry still struggles with piecemeal regulation among the states and federal regulators who have been slow to recognize the threat from cybercrime, said Aslanian.