Advisors and financial planners work in a highly regulated industry. Over the last 20 years, my annual compliance efforts and expenses have increased from a dozen hours and a few hundred dollars to dozens of hours and five figures. It’s a price I’m willing to pay to remain in an intellectually interesting, behaviorally challenging and (still) well-paid profession.
SEC and state regulators are focusing more of their attention on cybersecurity — conducting sweeps of broker-dealers and advisors to evaluate firms’ vulnerabilities. Brokers, advisors and planners are being warned to get their act together or face serious regulatory consequences. At a recent seminar, I heard compliance experts caution any of us who lacked meaningful cybersecurity protocols to get our digital act together, and quickly.
When compliance consultants run a seminar, their job is to scare us so we’ll hire them. However, this time their tactics were well-founded. The SEC is dead serious about this matter, and it should be.
I am not an expert. Outside of my own experience (17 years operating a completely digital office), I’ve spent maybe a month actively researching cybersecurity, cybercrime, cyberterrorism and all things related to this issue.
Despite that handicap, the conclusion of the experts whose papers I’ve read was unambiguous: If you are a financial professional and you are not doing everything you can to tighten up your digital security, the SEC will be the least of your problems.
Our businesses, our government and much of our personal lives rely on the existence of a healthy and robust digitally interconnected world. Yet the very real danger from cyberthreats doesn’t create the same instinctive fear response we experience with physical risk.
In addition, because we have no collective or personal memories of what it feels like to experience a digital calamity, we can’t conjure up what it would feel like. This makes it next to impossible to feel a sense of urgency.
I think that our understanding of these threats will become more tangible if we reframe them outside of their digital context and try to imagine an analogue within in the physical world.
Let’s say that on an otherwise ordinary morning, you are walking down the hall to your office. As you approach the door, you notice it’s ajar. You carefully open it, and discover that your office is full of strangers.
Most of them are just sitting silently doing nothing; others are asleep on the floor. A few are in your file room stuffing account records into a large safe, while others are just rummaging through files making a complete mess of them. No one appears to notice or care that you are there.
As you look around the office there are holes in the floor, in the walls, on the ceiling — even through the window. Every once in a while you see someone climb in or out of one of these holes — and you realize there are a lot of intruders in your little office. Looking back at the front door, you notice someone changing the lock.
You snap back into reality, pull out your mobile phone and call security. Two minutes later, a security guy is standing in your office. You ask, “How long has your company been protecting our building?” He says, “Almost 10 years.”
Motioning to all the corners of your office you ask, “Then how could you guys have missed all of this?” He looks around and pauses for a moment, “Sir, everything here looks good, what appears to be the problem?”
In the physical world, perpetrators who attack individuals, corporate or government infrastructure can be identified, pursued and brought to justice — even (with some exception) if they live outside the U.S. Our ability to successfully go after an attacker is a meaningful deterrence to others who have similar objectives and is a major reason there have been so few physical incidents within our borders.