Small and midsize advisors self-report a low incidence of cyber breaches because they don’t detect them, according to Raj Bakhru, CFA and CEO of Aponix Financial Technologists.
Responding to the preliminary results of the recently released survey by the North American Securities Administrators Association, which found that the majority of small and midsize state-registered advisors have tech or cybersecurity policies in place and that only 4.1% of the participants were aware that they had suffered a cybersecurity incident, Bakhru says that the survey results indicate “a number of misconceptions of cyber-security risks and terminology by small investment advisors, and a lack of awareness of their own cybersecurity incidents.”
The preliminary survey findings of 440 advisors found that only 1.1% of them had knowledge of theft or loss of data as a result of such a breach; the average survey respondent had only three employees.
“Firms this size generally lack the technology and sophistication to detect a cybersecurity breach,” Bakhru, whose firm provides technology and cybersecurity risk assessments to about a dozen advisors, said in an email message.
The NASAA survey found that 62% of the state-registered advisors are conducting cybersecurity risk assessments. However, Bakhru says that his firm’s experience has been that “these firms are conducting either basic network testing or self-assessment. While both actions are encouraged, firms ought to be conducting independent cybersecurity risk assessments, and the vast majority is not.”
He says the “high reported statistic” of having conducted cyber risk assessments is due to the lack of standardized terminology: “risk assessments” and “[network] vulnerability testing” or “[network] penetration testing” are often confused.
“A risk assessment covers deficiencies in documentation, processes and procedures, workflow flaws and vulnerabilities, vendor diligence, and beyond, in addition to internal and external network testing,” he says.
NASAA spokesman Bob Webster said in a email to ThinkAdvisor that “the survey was intended to increase awareness of cyber security risks and policies and procedures of state-registered IAs and to a start a dialogue about this important issue.”
Bakhru also pointed to other troubling findings in the NASAA report, including that only 44% of the advisory firms report having policies and procedures on training their staff. “Those lacking staff security training to detect forged emails are at higher risk of spear-phishing attacks,” he says.