Justin Kapahi, vice president of solutions and security at New York-based firm External IT, is excited about a new set of cybersecurity regulations for financial institutions that were recently passed in Colorado.
The Colorado Division of Securities published final rules in mid-May that compel broker-dealers and investment advisors to establish and maintain written cybersecurity procedures designed to protect clients’ personal confidential information. Those procedures include using secure emails that employ encryption and multifactor authentication practices for employees to access databases, among other things.
Kapahi believes these rules will go a long way toward helping financial advisory firms in Colorado understand how best to protect themselves from hackers. Even if most firms in this industry have in place what Kapahi calls “commodity security” (firewalls and anti-virus protection, for example), many are not truly equipped to counter “socially engineered threats” like spam emails that look innocuous but can result in major database breaches.
In the Cloud, ‘Middleman Is the Computer’
In the era of cloud computing, many companies also believe that they don’t need servers because their data is safely stored at all times. However, accessing that data on devices that are not authorized – a routine occurrence — is one of the most common ways in which data is hacked, he said.
“People don’t realize that in the cloud, the middleman is the computer,” Kapahi said. “I mean, I would not do business on my son’s computer, for example – he plays games on it, he downloads things, and it’s dangerous. So it’s really bad news for financial advisors who download their clients’ data on their home computers or on other unmanaged devices.”
In Kapahi’s view, cybersecurity is by far the greatest problem for the financial planning industry. While the SEC and certain states like Colorado and New York have provided guidelines for companies to follow, it’s still very difficult for many firms to wrap their arms around things and to ensure their valuable data is fully protected.
“As a security provider, you need to be agile and you need to hire people who understand the industry and who follow compliance regulation,” he said.
While External IT has always served financial advisory firms, it is now wholly dedicated to this space, ensuring that it stays ahead of the curve in terms of what advisors need to safeguard their data.