New defenses necessary for protecting client data

Recent warnings from President Barack Obama about the business threats posed by cyberterrorists and news that an estimated $300 million or more has been hacked from bank clients, should reinforce an adviser’s resolve to check — and then double check — cybersecurity defenses.
At a cybersecurity summit on Friday, Mr. Obama singled out the nation’s financial systems, health systems and power grid as networks being probed every day by criminals and foreign governments.
In an effort to improve security against cyberthreats, Mr. Obama signed an executive order to encourage companies to form groups and share information among themselves and with government organizations.
Such a step, not aimed at advisers but potentially consequential to client data because it touches the broad financial sector, could be worrisome, even though the president has said the information would be kept private, said Brian Hamburger, chief executive of MarketCounsel.
“People are skeptical with information sharing, and they should be asking questions,” he said.
Those questions include: “If I share information with a competitor, will he be able to publicize that my firm was hacked?” Mr. Hamburger said. Or, “Will notifications be used to illustrate vulnerabilities before I’ve been able to fortify system defenses?”
Eric Clarke, president of Orion Advisor Services, said the president’s focus on data security is a great reminder to advisers that they have to pay attention to the threats and vulnerabilities of keeping client data private.
One area advisers may not think about is ensuring vendors and third parties have had their own security audits that include firewall testing and penetration testing to ensure an outsider can’t hack through, Mr. Clarke said.
He recommended advisers work with those who’ve attained international specifications for information security management, such as the ISO 27001 certification.
Other steps include: requiring multifactor authentication when assessing firm data; password protection systems; staff training and education; and technologies for mobile devices that can electronically wipe devices that are lost.
(More: “10 ways advisers can improve their cybersecurity”)
“Security always creates less convenience,” Mr. Clarke said. “However, when you’re accessing sensitive data, and a lot of it, it’s worth the extra steps to make sure the data is safeguarded.
Meanwhile, breaches at 100 banks in 30 nations have led to at least $300 million being stolen from client accounts, according to a Kaspersky Lab report that the New York Times wrote about Saturday. The crimes were years in the making in some cases, beginning with malicious code, or malware, being downloaded by unsuspecting employees, it said.
Then hackers reportedly sent in remote access tools to capture video and screen shots that gave them access to bank procedures. The banks, mostly in Russia — but some in the U.S., Europe and Japan — will not be identified because of nondisclosure agreements with Kaspersky, the paper said.
(More: Cybersecurity needs to be a spending priority for advisers in 2015)
These and other reports indicate the tenacity of cyberterrorists and their widespread impact. Advisers can’t just stick their heads in the sand and ignore the problem, experts said.
“We’ve entered into an era where advisers can’t easily claim to be helpless victims when it comes to viruses, malware and spyware, and consumers are suffering the ramifications,” Mr. Hamburger said. “Those with a responsibility to collect and maintain sensitive information have the obligation to safeguard that information.”