As regulators ramp up cybersecurity exams this year, advisors and brokers are racing to figure out how to address technology breaches and protect client data against growing online threats.
“Especially this year, when the SEC and FINRA released their guidelines, cybersecurity has been a heightened area of conversation,” said Neal Quon, co-founder of financial technology consultant QuonWarrene, at last week’s Technology Tools for Today (T3) conference in Dallas. “There’s a lack of a standard. It’s the minimum of what you can do today to respond to a threat. You have to be nimble to respond to every evolving threat.”
The buzz around cybersecurity at T3 came as the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations looks more closely at the quality of firms’ technical infrastructure. The SEC’s National Exam Program will continue this year with targeted information-technology exams of both broker-dealers and advisors.
Vincente Martinez, chief of the SEC’s Office of Market Intelligence, recently said the SEC is levying cyber-related actions via Regulation SP while the Financial Industry Regulatory Authority is levying actions under the SP rule as well as FINRA Rule 2010.
Registered investment advisors have a fiduciary responsibility to act prudently when it comes to cybersecurity, Quon noted. For example, he said, Charles Schwab as custodian is required to inform investors of cyber breaches, yet RIAs “from a relationship standpoint” also should take on the responsibility of keeping investors informed.
During a T3 cybersecurity session moderated by tech consultant and FPPad founder Bill Winterberg, a group of panelists talked about how already taxed and thin IT departments are now struggling to meet 28 SEC exam requests that lay out a firm’s cyber processes and procedures.
William French, vice president of risk management at Fidelity Investments, said advisory firms must educate themselves on current cyber threats and pass on that knowledge to their clients. Sophisticated phishing schemes are now targeting advisors’ clients by creating legitimate-looking requests via advisors’ email addresses and then assuming control of accounts, he said.
“We’re seeing such a focus by the fraudsters on personal email accounts,” French warned. “Advisories must be knowledgeable intermediaries and convey information to end customers.”
Guarding Against Breaches
As advisory firms review their policies and procedures, Brian Edelman, chief executive of Financial Computer Services, recommended that they assign the role of cybersecurity chief to an individual at the firm. The SEC’s cybersecurity initiative requests that advisory firms make an inventory of electronic equipment, including laptops and mobile phones, Edelman said, adding that advisory firms affiliated with a broker-dealer should learn their BD’s cyber rules.
“Never sign off on a cybersecurity questionnaire saying you are cyber-secure when you’re not sure you are,” Edelman said.
Responsibility for breach events also lies with advisory firms, said Wesley Stillman, CEO of cloud-based portal provider Right Size Solutions Inc., in a conversation after the panel.
“We had a client who did banking for the advisory company on a home computer, going against their own rules and protocol, and then they were breached,” Stillman recalled. “Every single client’s email was breached, and the firm had to contact every single client. Who do you blame for that? It’s an advisor’s error.”
Guarding against such advisor error must become part of an advisory practice, Quon said. That includes informing clients during account onboarding about cybersecurity policies, he said. “You have to practice fire drills,” Quon said. “Ask yourself: ‘Does it feel safe? Is this website suspicious?’ Have written policies and procedures around your cybersecurity. Our mantra is documentation.”
At T3, External IT, a cloud-based desktop provider that gets audited regularly to support advisors’ compliance reporting, offered these tips to help advisory firms become more cyber-secure:
1) Use email encryption. Use secure email to send private information via email with the help of providers such as McAfee or Cisco. Also, use secure file-sharing tools such as ShareFile from Citrix or OS33.
2) Secure the electronic office. Use a professionally configured firewall from providers like Cisco or Juniper. Adopt anti-virus, malware detection and removal software from vendors such as Norton or Sophos.
3) Implement strong access controls. Grant access on a business “need to know” basis. Require strong passwords, changed frequently and using two-factor authentication. Use tools such as those provided by password managers RSA, Symantec or OS33.
4) Always back up data. Have a comprehensive, dependable backup system. Consider cloud file storage via providers like Mozy, Carbonite, EVault or OS33.
See these related ThinkAdvisor stories: