When the 1930s American bank robber Willie Sutton was finally caught and the police asked why he targeted banks, he often is cited as saying, “That’s where the money is.”
Today’s digital robbers still go where the money is, which still is financial institutions, including financial advisors.
While most people think of hackers as people who steal passwords to get credit card numbers for a shopping spree, the threat is much larger than that. The lucrative black market for selling data makes it more worthwhile than any shopping spree.
As an advisor, you store sensitive data for a variety of clients and their assets. It is critical for you to understand cybersecurity and take steps to ensure you protect your firm.
The SEC’s Take
Cybersecurity is such a critical area of focus for the SEC, the agency has added a section for data security to its audits. Advisors have no excuse to not be prepared.
Knowing where to start, of course, is essential. The SEC wants every RIA firm to follow a few simple steps as a beginning route to becoming digitally prepared.
- Implement access rights and controls for each employee in an office.
- Create a Loss Prevention process to help prevent the possibility of data loss.
- Prepare an instant reporting action plan in the case of an event.
- Train staff on how to spot suspicious online activity and how to handle digital client data.
- Appoint a dedicated person in a firm to oversee cybersecurity, usually this is the CCO (chief compliance officer) for most firms.
Plus, the SEC provides advisors with a checklist in the form of a brief quiz to help them know that their firm is on the right track and has the correct attitude when it comes to data security.
When advisors ask for my help in providing an assessment of their cybersecurity preparedness, I get them started with a few general areas to cover how they interact with their clients’ data.
Step One: Train Your People and Your Clients
Good security always begins with your people. While anyone can make a mistake, proper training can mitigate them.
In the beginning, make sure your team understands a “phishing” email, which is an email designed to look like it comes from a legitimate source. These emails can even be made to look like they’re coming from inside your company.