Financial Firms Have Two Huge Cybersecurity Vulnerabilities, Says IT Consultant

Advisors are getting wise to the specter of cybercrime, but still have two huge vulnerabilities, according to Ara Aslanian, founding partner and CEO of technology consultant Inverselogic.

In particular, advisors are susceptible to hacks through their technological relationships to third-party vendors, and through phishing scams and other vulnerabilities in their emails.

“We’ve seen an increase with our clients of phishing attempts, especially around Covid-19, PPP (The Payment Protection Program) and the stimulus packages that are coming out, we’ve seen several targeted attacks through emails,” said Aslanian. “I still see a lot of advisors and accountants sending and solicitng documents in a simple e-mail, including things like financial statements, tax documents and bank accounts, instead of encrypting that email and being conscious about what data they’re working with and who it is being shared with.”

This kind of vulnerability extends to inter-office chat and file-sharing platforms, said Aslanian: if they’re not encrypted, advisors should not be sharing clients’ financial information or documents across them.

Many cloud-based platforms like Google Drive do not have significant data-loss prevention controls.

“Some advisors aren’t even vetting their cloud providers to see what is being wrapped around the data they’re sharing – is it encrypted? Is it encrypted during transiton? In storage? Those are all key things the financial services community should be looking at,” he said. “What we’ve found is that a lot of firms are overlooking that. That puts the end-client at risk, and putting the end-client at risk is the same thing as putting the advisor’s reputation on the line.”

It’s important for advisors to know and understand the security steps being taken by their third-party vendors, said Aslanian.

Inverselogic has provided cybersecurity and IT consulting services to wealth and accounting firms for 25 years, said Aslanian.

Larger firms have more of a budget and have an easier time keeping abreast of changes in cybersecurity, said Aslanian, but a lot of companies who have been slow to adapt to technology, including some large ones, are still vulnerable.

“I see a lot of data going through regular email instead of being encrypted,” said Aslanian. “I see companies not using complex passwords, not implementing two-factor authorization, and not using a VPN for remote connections. That’s a gap that still needs to be filled. There are actual some smaller firms, with younger ownership and management, who are ahead of many of their larger competitors.”

The financial industry still struggles with piecemeal regulation among the states and federal regulators who have been slow to recognize the threat from cybercrime, said Aslanian.

Yet big breaches like the recent hack of Microsoft’s Office software, the Equifax hack, and the massive Solar Winds hack should serve as cautionary lessons to advisory firms: any firm, no matter how large or tech savvy, can be breached.

“It happens on a daily basis, there are a lot of zero-day hacks discovered every day, and they’re being perpetraded by bad actors who have strong financial backing,” said Aslanian. “These hacks are being conducted by bad-actor nations, actual countries, not just some kid who is in a basement trying to get into your email. We need to be vigilant”