Imagine that you’re working on rebalancing a client portfolio and suddenly the computer screen goes blank. A message appears demanding a $10,000 ransom paid within the hour or else the entire hard drive will be erased. You’re worried about losing months’ worth of work, but stolen information would be far worse. You’d have to notify clients of the security breach, many would likely leave, and you might even be fined by FINRA.
This scenario may sound like something out of a movie, but it’s actually an increasingly common form of cyberattack known as ransomware. These types of attacks can originate from something as innocuous as an e-mail from a colleague with a virus that’s disguised as a spreadsheet or an invoice. Many financial advisors are ill-prepared to prevent these kinds of attacks as they become increasingly commonplace in today’s tech-driven world.
In this article, we will take a look at why cybersecurity has become a primary focus for regulators and why it should be one for all financial advisors regardless of size. (For more, see: 7 Cybersecurity Tips for Advisors.)
Increased Regulatory Focus
The U.S. Securities and Exchange Commission (SEC) began taking a closer look at cybersecurity issues and conducted its first sweep of more than 100 broker-dealers and investment advisors in 2014. After releasing its findings the following February, the agency announced another round of examination by September. The SEC and FINRA have placed cybersecurity near the top of their priority list in 2016, which could lead to new enforcement activity in 2016 and 2017. (For more, see: Advisors Are Feeling Cyber-Insecure.)
These agencies now routinely look at financial advisors’ security controls through testing and assessments. In many cases, these examinations could lead to an increasing number of enforcement actions aimed at encouraging advisors to improve their security infrastructure. The agencies’ key areas of focus include governance, access rights, data loss prevention, training, and incident response, among other topics. (For related reading, see: What Advisors Need to Know about SEO, Social Media.)
During these examinations, regulators will request a firm’s information security policies and procedures, interview staff members, and request information on security incidents that the firm has already experienced. Financial advisors should be prepared to answer all of the questions present in the agencies’ existing guidance, while addressing more technical and detailed questions that may be asked for additional clarity. (For related reading, see: What Advisors, Clients Should Expect from a Low-Return Future.)
Financial advisors should focus their efforts on two areas when it comes to meeting cybersecurity requirements and protecting client data. The first area of focus is technology that ensures client data is secured and helps avoid any problems from the onset. The second area of focus is documentation that helps meet regulatory requirements and ensures that policies are in place to govern the installation and maintenance of technology solutions. (For related reading, see: What Advisors Can Learn from Robo-Advisors.)
There are many different types of technology that are employed to secure networks and ensure the cyber criminals cannot access sensitive information. In most cases, financial advisors should work with information technology consultants to select the proper technologies and ensure that they are properly installed. It may also be helpful to have these consultants train staff members in order to avoid what are often the weakest links: humans. The most important technologies to implement include:
- Hardware firewall: Prevents unauthorized access of a computer network from outside sources by white-listing every approved connection and blocking all others.
- Software encryption: Secures sensitive data by rendering it unreadable by anyone that doesn’t possess the encryption key or passphrase.
- Access management: Ensures that all advisors in a practice have their own individual accounts that are segregated to prevent one breach from compromising all data.
- Antivirus/spyware: Prevents the installation and spread of viruses and spyware on computers connected to a network and quarantines any viruses that already exist.
- Secure remote access: Secures access to a network’s computers from advisors that are working at home or away from the office through encrypted communication.
- Portable media encryption: Ensures that stolen USB drives and laptops are locked down in case they are stolen in order to protect sensitive client information.
- Software updates: Ensures that all software solutions installed on a computer are kept up-to-date in order to close any security holes discovered by the vendor.
- Personnel training: Helps personnel understand how to avoid key security risks that tend to be the most common entry point for cyber criminals.
FINRA and the SEC have documentation requirements that tend to surface when these agencies conduct examinations. In many cases, the documentation of security procedures is as important as the actual security measures when it comes to enforcement actions.
The SEC Office of Compliance and Examination’s Cybersecurity Initiative and the 2015 Cybersecurity Examination Initiative are good places to start. In the document, the regulatory agency outlined its focus on governance and risk assessment, access rights and controls, data loss prevention, vendor management, and training and then discusses the specifics associated with the implementation and documentation of solutions in these areas. (For related reading, see: Top Digital-Age Tips for Financial Advisors.)
For example, the access rights and controls section outlines the following documentation requirements:
Firm policies and procedures regarding access by unauthorized persons to firm network resources and devices and user access restrictions (e.g., access control policy, acceptable use policy, administrative management of systems, and corporate information security policy), including those addressing the following: Establishing employee access rights, including the employee’s role or group membership; Updating or terminating access rights based on personnel or system changes; and, Any management approval required for changes to access rights or controls. (For related reading, see: Managing Client Expectations in a Volatile Environment.)
Financial advisors should carefully read through these requirements and ensure that they’re able to fully answer these questions ahead of time. Any failures to address these questions and concerns could lead to enforcement actions. (For related reading, see: Advisors Must Focus on Their Own Retirement, Succession Plans.)
The Bottom Line
Cybersecurity remains a top priority among regulators at the SEC and FINRA as cybersecurity-related incidents are on the rise. For financial advisors, it’s more important than ever to secure data with technology and ensure that everything is documented for regulators. Those that fail to address these issues could face an increasing risk of regulatory actions, fines, and other consequences as the policies mature on a regulatory level. (For related, see: Educating Your Clients About Cybersecurity.)