Cybersecurity: What Financial Advisors Need to Consider
The number of data breaches is skyrocketing. In the first half of 2019 alone, there were 3,800 publicly disclosed record breaches, 4.1 billion personal records exposed and an increase of 54% in the number of reported breaches versus the first six months of 2018. Although all industries have been affected, the volume of sensitive data and information that the financial industry stores makes them a prime target for hackers. For example, one of the most high profile data breaches of 2019 was with Capital One, resulting in 106 million records being accessed by a hacker. Financial advisors and firms need to be aware of cybersecurity risks, and need to be prepared with a strategy to prepare for these attacks.
The Importance of Cybersecurity
No matter the size of the firm, the sheer volume of sensitive materials that is handled by the financial sector every day means that cybersecurity must be prioritized to protect clients. According to the FBI, in 2018 alone, cybercrime victims lost $2.7 billion, but a data breach can cause firms and victims to lose more than just money. They also lose their sense of security. This translates to firms losing client loyalty and trust. The financial advisory business is built on this, so reassuring clients that their assets and information are secure is imperative.
To ensure that financial advisors and their firms are taking cybersecurity seriously, the Securities and Exchange Commission (SEC) and U.S. state securities regulators are starting to crack down on financial advisors’ cybersecurity practices. Along with regular inspections, the SEC is now performing cybersecurity examinations. They are also charging firms that fail to keep client data safe. In September 2017, New York-based Voya Financial Advisors was instructed to pay the SEC $1 million to settle charges regarding a data breach that compromised customers’ personal information.
The Securities Industry and Financial Markets Association (SIFMA) is also getting involved in cybersecurity, and has worked with financial firms and government regulators to create simulations of real cybersecurity attacks. Cybersecurity certification is also being developed for firms and advisors, such as the Systems and Organization Controls certificate developed by the American Institute of Certified Public Accountants. This certificate validates a firm’s administrative, technical, and physical controls over cybersecurity.
Building a Cybersecurity Strategy
Cybersecurity is not a one-time cost. To ensure that advisors are aware of the risks, and that clients’ data is continuously protected, firms need to build, maintain, and invest in a long-term cybersecurity strategy. Key considerations for these strategies include the following:
Continuous Training and Procedural Updates
Much of cybersecurity prevention comes down to arming staff with enough knowledge to recognize threats and understand how to deal with them. Along with obtaining general cybersecurity certification, ensure that all financial advisors receive continuous in-house training on best practices and procedures, and on how to spot cyberattacks and wire fraud attempts. Criminals know the vulnerability of human error and will frequently attack the human element first. Unfortunately, most firms focus on technology solutions as the primary line of defense and staff training as the last. Keep all employees aware of current cybersecurity crimes and new data breach techniques. Update firm guidelines and processes constantly so that they incorporate the latest technologies.
With their regular inspections and tests, the SEC has uncovered a common vulnerability across firms that can be easily rectified: third-party vendors are often overlooked in assessing potential cybersecurity threats. Although 63% of data breaches begin from a third-party vendor’s vulnerability, only 52% of firms have formalized security practices for vendors, making this an important area of improvement when preventing cyber crime. Every new digital tool adopted by a financial advisor increases the risk of a cybersecurity attack.
Ask about vendors’ cybersecurity plans, their vulnerability testing, and what protocols they have in place if a data breach occurs. Technology vendors should maintain fully separate hosted environments across multiple data centers, use strong encryption and data masking, and be able to show that they regularly test and audit against security best practices. Along with these technological security questions, ask about the vendors’ physical security controls at their tech company offices or data centers. These can include 24/7 security and video surveillance, backup power generators, and data center compliance with standards like Tier IV, SOC 2, or ISO 27001.
Establish Electronic Communication Rules and Protocols
Phishing tactics are one of the main causes of security breaches. They are also one of the simplest types of breaches to prevent. Phishing is when hackers email a target from a known sender, use personal information pulled from public profiles and websites, and trick their target into divulging sensitive data, or in some cases, money.
Within the firm, establish rules about electronic communication and protocols for protecting clients’ records, including the use of social media, and remote access to emails and customer information. The SEC has regularly observed employees storing and maintaining customer information on personal laptops, which do not have the same security measures in place as firm computers. This seemingly simple act can expose client data to hacking risks. Another measure that can be taken to protect clients’ data is to establish a two-factor authentication process for clients looking to access funds or information. This reduces the risk of cloud and account hacking.
As more communication is conducted over mobile devices, mobile security is becoming another area where special attention should be paid. A recent report by Wandera highlighted several security risks for financial services organizations through the use of mobile devices. These include phishing, with financial services firms experiencing more phishing attacks compared to other sectors (57% compared to 42% cross-industry), and man-in-the-middle attacks, which occurs when traffic from one device is intercepted, and then unknowingly read and possibly altered, before reaching its intended recipient. Man-in-the-middle attacks happen frequently through the use of risky hotspots and public Wi-Fi networks, so avoiding unknown networks is a good way to minimize this risk. Finally, a basic step that can prevent the release of valuable data, but is often overlooked by 1-in-20 financial services employees, is enabling a simple lock screen on devices.
Perform Vulnerability Tests
Once written response procedures are established in the event of a breach, regular tests of these procedures can help refine and adjust processes and systems as needed. Along with the tests provided by the SEC, firms must perform their own consistent testing for vulnerabilities. Be prepared to fix the problems that are revealed through these tests. Using real-life scenarios also helps engage employees in cybersecurity protocols.
Security breaches and risks will continue to be a pressing issue in 2020 for the financial services industry. With a formal cybersecurity strategy in place that incorporates the four factors outlined here, financial advisors and firms can be better prepared to respond to threats.
Christopher Crawford is the Director of Advisor Relationships for the Buffalo Funds. He has 10 years of experience in the financial services industry, previously holding positions at Invesco, IMA Financial Group, and Arthur J. Gallagher. At the Buffalo Funds, Christopher works with investment consultant relations, key account management, institutional distribution and client service. His main goal is to partner with advisors to bring business building ideas and provide unparalleled customer support to their business, always striving to make it easy and reliable to work with the entire Buffalo Funds investment team. Christopher received an M.B.A. from Washington University in St. Louis and a B.S.F.A. from Southern Methodist University. He also holds licenses for the Series 7, Series 63, and Series 65.
Click here for links to each fund’s holdings. Fund holdings are subject to change and should not be considered a recommendation to buy or sell any security.