When the 1930s American bank robber Willie Sutton was finally caught and the police asked why he targeted banks, he often is cited as saying, “That’s where the money is.”
Today’s digital robbers still go where the money is, which still is financial institutions, including financial advisors.
While most people think of hackers as people who steal passwords to get credit card numbers for a shopping spree, the threat is much larger than that. The lucrative black market for selling data makes it more worthwhile than any shopping spree.
As an advisor, you store sensitive data for a variety of clients and their assets. It is critical for you to understand cybersecurity and take steps to ensure you protect your firm.
The SEC’s Take
Cybersecurity is such a critical area of focus for the SEC, the agency has added a section for data security to its audits. Advisors have no excuse to not be prepared.
Knowing where to start, of course, is essential. The SEC wants every RIA firm to follow a few simple steps as a beginning route to becoming digitally prepared.
- Implement access rights and controls for each employee in an office.
- Create a Loss Prevention process to help prevent the possibility of data loss.
- Prepare an instant reporting action plan in the case of an event.
- Train staff on how to spot suspicious online activity and how to handle digital client data.
- Appoint a dedicated person in a firm to oversee cybersecurity, usually this is the CCO (chief compliance officer) for most firms.
Plus, the SEC provides advisors with a checklist in the form of a brief quiz to help them know that their firm is on the right track and has the correct attitude when it comes to data security.
When advisors ask for my help in providing an assessment of their cybersecurity preparedness, I get them started with a few general areas to cover how they interact with their clients’ data.
Step One: Train Your People and Your Clients
Good security always begins with your people. While anyone can make a mistake, proper training can mitigate them.
In the beginning, make sure your team understands a “phishing” email, which is an email designed to look like it comes from a legitimate source. These emails can even be made to look like they’re coming from inside your company.
Beyond the basics, performing a mock audit with a third-party compliance consultant can help you gauge your team’s aptitude for spotting suspicious requests.
The proper technology also can help your team. By using secure document exchange apps instead of email, and securing logins with multi-factor authentication, you can put processes in place to guard against human error.
Step Two: Review Security of Software Vendors
Let’s be honest — most RIA firms don’t possess their clients’ data on-site anymore; rather, they keep it stored in third party systems like a financial planning software or custodian.
No matter if you work with one tech vendor or ten, you must regularly confirm that your vendors are up to the task of keeping your clients’ data safe. Ask each vendor about their security policy so you understand their processes and how they would respond if an event did occur.
There are global standards that cover security protocol — including the popular ISO2700 certification. Ask if your vendor has any.
If you were buying a home, you would do an inspection — performing due diligence on your software partners should be no different.
If you’ve ever had a credit card stolen or your identify compromised and had to deal with the endless hours of fallout it caused, you know how important digital data security is for your firm.
The attitude with which you approach cybersecurity will make a difference throughout your firm. Take your responsibility seriously — the lives and livelihood of your clients is literally at stake with their personal information.
Modern advisory firms have no choice but to act as one of the digital safeguards of their clients’ financial lives. If you are not already doing all you can in this area, step up and take action now.
Jarrod Upton is COO and senior consultant at Herbers & Co. He brings over 16 years of experience in management strategy, client experience and operations consulting to advisory firms. He can be reached at www.HerbersCo.com.