It's you, dear reader, that the headline is referring to — independent advisors. From relatively humble beginnings in 1969, but with visionary leadership then (under Loren Dunton, founder of the Institute of Consumer Financial Education) and over the ensuing 47 years, independent financial advisory firms are a real force to be reckoned with in the financial services industry. That's the case even if the great majority of independent advisors don't approach anywhere near the threshold that the U.S. government holds out as the starting point of small businesses.
At the Financial Planning Association annual conference in September, Pershing Advisor Solutions CEO Mark Tibergien noted that the U.S. Small Business Administration would define any advisory firm with less than $38.5 million in annual revenue as a small business. “We are, fundamentally,” said Tibergien at the Baltimore meeting, “small businesses.” Small by the SBA's definition, but plenty big enough to be the target of cyber criminals.
In a press conference and a panel discussion at FPA's conference, a panel of experts explored the findings of an FPA-TD Ameritrade Institutional study on advisors and cybersecurity. Bryan Baas of TDAI said “not a day goes by without” a cybersecurity attempt on advisors, and that while over 80% of advisors surveyed claimed cybersecurity is a “high priority,” fewer than 50% “understand all the risks.” Baas, TDAI's director of risk oversight and control, called for more training for advisors and advisory firm staff, so that “when the alarm bells go off, they know what actions to take.” Baas also sent a reminder that “the SEC expects advisors to have robust plans to mitigate” cybersecurity risks to client data. Advisors, counseled Baas, “should take the same care to develop cyber policies as they do in building portfolios for clients.”
So why does the Securities and Exchange Commission (and FINRA and the states) care so much about how secure client data is at independent advisory firms? Dan Skiles, an FPA board member and president of Shareholders Service Group, put it well. “We used to say ‘We’re a little cottage industry; nobody will want to hack us.’” However, said Skiles (Investment Advisor's resident Technology Coach), “that cottage industry no longer exists.”
Should you think you or your firm won't be targeted and compromised, think again, said Skiles. “In cybersecurity, there are no spectators; everybody is on the playing field,” and advisors should “understand what position they should be playing and whether they are doing well” in countering the cyber threat. Continuing with the athletic comparison, Skiles pointed out that many hackers consider it “a game. There are kids overseas and in your neighborhood who think it's fun to try to break into” computer systems.
The threat isn't just to your reputation or to your clients’ personal information; it can hit your bottom line as well. A data breach, said Skiles, is “embarrassing, distracting” and then you’ll “spend a lot of money to fix it” after the fact. Even if such a breach occurs at your technology vendor, you — not your vendor — will be held accountable by regulators. The prime example: Last September, the SEC slapped a $75,000 fine on R.T. Jones Capital Equities Management for failing to have the proper cybersecurity policies and procedures in place that would have prevented a breach of the personal identifiable information (PII) of thousands of the firm's clients. That trove of clients’ PII was hosted not on R.T. Jones’ own server, but on an outsourced third party's computer.
In other words, the SEC is saying that advisory firms are businesses, not part of a cottage industry any longer, whose responsibility includes safeguarding clients’ data. Soon, the SEC will also require RIA firms to have a succession plan in place not just for the benefit of the owner-advisor and the firm's staff, but as a fiduciary duty to the firm's clients.