Advisors and financial planners work in a highly regulated industry. Over the last 20 years, my annual compliance efforts and expenses have increased from a dozen hours and a few hundred dollars to dozens of hours and five figures. It’s a price I’m willing to pay to remain in an intellectually interesting, behaviorally challenging and (still) well-paid profession.
SEC and state regulators are focusing more of their attention on cybersecurity — conducting sweeps of broker-dealers and advisors to evaluate firms’ vulnerabilities. Brokers, advisors and planners are being warned to get their act together or face serious regulatory consequences. At a recent seminar, I heard compliance experts caution any of us who lacked meaningful cybersecurity protocols to get our digital act together, and quickly.
When compliance consultants run a seminar, their job is to scare us so we’ll hire them. However, this time their tactics were well-founded. The SEC is dead serious about this matter, and it should be.
I am not an expert. Outside of my own experience (17 years operating a completely digital office), I’ve spent maybe a month actively researching cybersecurity, cybercrime, cyberterrorism and all things related to this issue.
Despite that handicap, the conclusion of the experts whose papers I’ve read was unambiguous: If you are a financial professional and you are not doing everything you can to tighten up your digital security, the SEC will be the least of your problems.
Our businesses, our government and much of our personal lives rely on the existence of a healthy and robust digitally interconnected world. Yet the very real danger from cyberthreats doesn’t create the same instinctive fear response we experience with physical risk.
In addition, because we have no collective or personal memories of what it feels like to experience a digital calamity, we can’t conjure up what it would feel like. This makes it next to impossible to feel a sense of urgency.
I think that our understanding of these threats will become more tangible if we reframe them outside of their digital context and try to imagine an analogue within in the physical world.
Let’s say that on an otherwise ordinary morning, you are walking down the hall to your office. As you approach the door, you notice it’s ajar. You carefully open it, and discover that your office is full of strangers.
Most of them are just sitting silently doing nothing; others are asleep on the floor. A few are in your file room stuffing account records into a large safe, while others are just rummaging through files making a complete mess of them. No one appears to notice or care that you are there.
As you look around the office there are holes in the floor, in the walls, on the ceiling — even through the window. Every once in a while you see someone climb in or out of one of these holes — and you realize there are a lot of intruders in your little office. Looking back at the front door, you notice someone changing the lock.
You snap back into reality, pull out your mobile phone and call security. Two minutes later, a security guy is standing in your office. You ask, “How long has your company been protecting our building?” He says, “Almost 10 years.”
Motioning to all the corners of your office you ask, “Then how could you guys have missed all of this?” He looks around and pauses for a moment, “Sir, everything here looks good, what appears to be the problem?”
In the physical world, perpetrators who attack individuals, corporate or government infrastructure can be identified, pursued and brought to justice — even (with some exception) if they live outside the U.S. Our ability to successfully go after an attacker is a meaningful deterrence to others who have similar objectives and is a major reason there have been so few physical incidents within our borders.
But in the digital world, someone can be rifling through our confidential records while remaining completely invisible to us. It took years before Yahoo discovered that a billion of its users’ data was compromised; even today it still doesn’t know who did it.
Vanity Fair reported the following revelation last September: “The Pentagon has said it fends off several million attempts at cyber-intrusion every day.” Most of the attempts are amateur, but more than a few are sophisticated and clearly state sponsored. Of course the Pentagon has access to NSA-type expertise, and it is close-lipped about what (if any) retaliatory plans it may have.
The same elite, state-sponsored hackers that may be close to breaking into the Pentagon are also actively looking to exploit weaknesses in U.S. businesses. This is nothing new — just the digital equivalent of something that has been going on for generations.
What is unprecedented is the number and regularity of the attacks. If there were millions of physical attacks against the Pentagon each day — our national amygdala would light up, Congress would declare war on the perpetrators, and we would respond in-kind and with force. But while digital attacks can lead to damages as serious as those from physical attacks, until those damages actualize, it somehow doesn’t quite feel as threatening.
Like any reasonably informed layman, I’ve followed this issue with growing interest. However, the one aspect that struck me — which I had never considered — is just how much more advantage our attackers have over us.
The Center for Cyber & Homeland Security, a think tank at George Washington University, has explained this skewed reality in both public papers and in periodic testimony before Congress. It points out that public perception of this issue is getting in the way of a solution.
“As things now stand, however, our adversaries are acting largely without penalty and thus continue to transgress. Moreover, when an incident occurs, our tendency is to blame the victim,” the center explained. This is obviously a foolish and counter-productive response — but it sounds somewhat like the policy of the SEC.
As attackers grow in size and sophistication, the list of entities that have suffered significant losses is increasing. Recent estimates of cyberattacks’ annual costs on business range from $120 billion to $160 billion.
The experts at George Washington University concluded a recent presentation with the following sober warning: “It will only be a matter of time before an adversary successfully capitalizes on these advantages and carries out an attack that damages and disrupts critical infrastructure.”
What are we supposed to do about this state of affairs? Is Filofax going to make a huge comeback? Should we go back to paper records and land-line phones? Letter writing? Carbon paper?
I think the answer lies in what we on the West Coast know as earthquake preparedness. That is, we can’t stop it from happening; it is out of our control. But if we are prepared for the eventuality, and ready for what might be an extended recovery period, the odds of surviving a major earthquake and its aftermath are excellent.
I know Norton Internet Security is generally useless against an experienced hacker. But I also know that if I just follow good digital common-sense practices I can eliminate 99% of all potential problems — many of which would be the result of my own carelessness.
For the 1% of cyberthreats that we cannot avoid, our goal should be to survive them, by having a simple, robust and flexible plan: backing up data regularly — to different physical locations, with lots of redundancy; plus, a basic but time-tested disaster plan for the recovery period.
If we can stop thinking about digital security as a compliance issue and start thinking about it as an existential one, we’ll be in the right mindset to make good choices. The result may not satisfy all the concerns the SEC will cover in your next examination, but it might allow you to actually have a business to be examined.