Cybersecurity is a top priority for the vast majority financial advisors, but, troublingly, many advisors do not clearly understand the risks or how to neutralize them.
New research by the Financial Planning Association’s FPA Research and Practice Institute found that only 29% of 1,015 financial advisors it polled this summer considered themselves “fully prepared to manage and mitigate the risks associated with cybersecurity.”
Some 70% of advisor respondents said their clients were at least somewhat aware of the risks associated with data security, yet only 44% of advisors completely agreed that they fully understood cybersecurity issues and risks.
The research showed advisors were also less confident in their overall teams’ readiness to handle cybersecurity issues facing the industry.
Only 36% said their teams fully understood the issues and risks, while 26% said their teams felt confident they could manage and mitigate cybersecurity risks.
“It’s clear from the research that advisors are aware of the risk associated with cybersecurity threats, but they’re not fully confident in their ability to handle the challenges presented or even on how their firms should navigate a path forward,” Dan Skiles, president of Shareholders Service Group and a member of the FPA board of directors, said in a statement.
M&T Bank recently reported high-net-worth individuals are also at risk from cybercrime owing to their own lax security.
State of Preparedness
Firms in the FPA survey had a mixed bag of documented policies and procedures in place to deal with cybersecurity issues:
• Governance and risk assessment: 57%.
• Access rights and controls: 59%.
• Data loss prevention: 58%.
• Training: 51%.
• Vendor management: 43%.
• Incident response: 43%.
Interestingly, 1 in 10 advisors whose firms already implemented policies and procedures to prevent cybersecurity attacks said they found incident response and access rights and controls the least challenging elements of creating and implementing a cybersecurity plan.
Only 26% of advisors affirmed they were aware of all requirements from the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations guidelines.
Furthermore, a mere 17% of respondents said their teams were aware of all requirements, and 18% said they were very confident they would pass an OCIE cybersecurity examination if one were administered today.
Half of advisors reported they had spent less than $10,000 over the past 12 months on external assistance to define and implement policies and procedures. Another 23% said they had not invested in any external assistance over the past year.
Furthermore, 65% of advisors in the survey spent less than $5,000 in the past year or nothing at all on internal resources.
Minding the Gap
The survey showed that 82% of advisers whose firms did not currently have policies and procedures in place were actively working on or planned to address data loss prevention.
Three-quarters were also focusing on incident response and on governance and risk assessment.
At the same time, 40% of advisors said they had no plans to design policies and procedures around vendor management, while 39% did not plan to address gaps in access rights and controls.
As for policies and procedures around employee training, 30% of advisors did not plan to address gaps, while 20% said they were actively developing the lacking policies and procedures.
“We can’t stress enough that safeguarding your firm’s cybersecurity could be the most important business decision you make,” said Bryan Baas, director of risk oversight and control at TD Ameritrade Intuitional, which sponsored the research. “Advisors should approach cybersecurity the same way they approach their client investment portfolios: you take time to understand client needs, you develop and implement a plan, and then you continually monitor, review and modify that plan based on changing priorities, environmental factors and preferences.”
—Related on ThinkAdvisor: