Close Close

Regulation and Compliance > State Regulation > NASAA

Cyberattacks on Small, Midsize Advisors Go Undetected

Your article was successfully shared with the contacts you provided.

Small and midsize advisors self-report a low incidence of cyber breaches because they don’t detect them, according to Raj Bakhru, CFA and CEO of Aponix Financial Technologists.

Responding to the preliminary results of the recently released survey by the North American Securities Administrators Association, which found that the majority of small and midsize state-registered advisors have tech or cybersecurity policies in place and that only 4.1% of the participants were aware that they had suffered a cybersecurity incident, Bakhru says that the survey results indicate “a number of misconceptions of cyber-security risks and terminology by small investment advisors, and a lack of awareness of their own cybersecurity incidents.”

The preliminary survey findings of 440 advisors found that only 1.1% of them had knowledge of theft or loss of data as a result of such a breach; the average survey respondent had only three employees.

“Firms this size generally lack the technology and sophistication to detect a cybersecurity breach,” Bakhru, whose firm provides technology and cybersecurity risk assessments to about a dozen advisors, said in an email message.

The NASAA survey found that 62% of the state-registered advisors are conducting cybersecurity risk assessments. However, Bakhru says that his firm’s experience has been that “these firms are conducting either basic network testing or self-assessment. While both actions are encouraged, firms ought to be conducting independent cybersecurity risk assessments, and the vast majority is not.”

He says the “high reported statistic” of having conducted cyber risk assessments is due to the lack of standardized terminology: “risk assessments” and “[network] vulnerability testing” or “[network] penetration testing” are often confused.

“A risk assessment covers deficiencies in documentation, processes and procedures, workflow flaws and vulnerabilities, vendor diligence, and beyond, in addition to internal and external network testing,” he says.

NASAA spokesman Bob Webster said in a email to ThinkAdvisor that “the survey was intended to increase awareness of cyber security risks and policies and procedures of state-registered IAs and to a start a dialogue about this important issue.”

Bakhru also pointed to other troubling findings in the NASAA report, including that only 44% of the advisory firms report having policies and procedures on training their staff. “Those lacking staff security training to detect forged emails are at higher risk of spear-phishing attacks,” he says.

Seventeen percent of the advisors who responded also report using free cloud services, “many of which lack enterprise data protections like encryption at rest, and therefore subject their data to unknown breaches,” Bakhru says.

Encryption at rest, he explained, is a “less commonly used form in which the data that’s stored down is encrypted. E.g. if you use files, those files are encrypted, or if you use a database, the contents of the database are encrypted. That way, if someone steals the hard drive, for example, the data can’t be read without the key to decrypt the data.” He also said the stat that 85% of the advisors do not use mobile device management is “staggering” because it means that the advisors’ “ability to protect data on lost or stolen smartphones is lacking.”

While 76% of the advisors said that they utilize online or remote backup solutions, Bakhru says that in his firm’s experience “the vast majority of these are not encrypted, subjecting the firm to data loss.”

The NASAA survey also found that 73% of the advisors do not utilize “multi-factor authentication,” Bakhru says, “meaning that a cracked, stolen or reused password subjects the firm to a cyber incident.”

Bakhru concluded that “most of these firms fail to realize that employees leaving the firm with any of the firm’s data, whether it be client data or research reports, is actually a data breach itself. Most of the firms in this space lack basic intellectual property protections for their employees.”

Indeed, Bakhru points to a recent Trend Micro study which found that 77% of employees at small and midsized companies leave their computers unattended.

The top reasons cited for data loss in the Trend Micro study were small and midsized employees’ tendency to open attachments to or click links embedded in spam, to leave their systems unattended, to not frequently change their passwords, and to visit restricted sites. This negligence puts critical business data at risk from data-stealing cybercriminals and malicious insiders, the survey says.

Check out Most State-Registered Advisors Have Tech, Cybersecurity Policies: NASAA on ThinkAdvisor.