How long can advisers get away with not reporting cyber breaches?

Some aren't complying just yet, while regulators see cybersecurity as top priority

Feb 29, 2016 @ 1:00 pm

By Alessandra Malito

+ Zoom

Many advisory firms are playing with fire by failing to report to regulators cybersecurity breaches, both big and small, experts say.

"What we see firms are doing is really taking significant steps to avoid having to report these issues," said Brian Hamburger, CEO of MarketCounsel, a regulatory compliance consulting firm.

"These data breaches are triggered on a wide variety of potential issues; and yes they are avoidable, but it takes a deliberate effort by the adviser to ensure they are looking at this holistically."

As a result, Mr. Hamburger and other industry experts are urging financial advisers to account for and report all cyberattacks, whether in-house or from the outside, as a matter of routine due diligence and to placate regulators who are fining more firms that fail to report the attacks.

Breaches can occur as a result of just about anything — experts cited bad passwords, hacked email accounts of clients or advisers, unsecured encryption, unintentionally clicking or downloading malware, or even an unauthorized individual finding non-shredded documents in the trash.

For example, Mr. Hamburger said he has seen advisers who don't use shredders or others who recycle sheets printed with information on the back. "These breaches can occur any number of ways," he said. "They start very basic."

Advisers don't have to report everything that happens to the Securities and Exchange Commission or Financial Industry Regulatory Authority Inc., but they need to abide by the rules set by the state where they and their clients work and reside — and those rules can vary. Advisers should be aware of these policies while keeping track of any incidents as a precaution, experts said.

An External IT report from November found firms are falling short on the cybersecurity front. According to the report, they are lacking in security policy, accountability when moving data, and disaster recovery.

Sid Yenamandra, chief executive of Entreda, a cybersecurity and risk-management company, suggested that advisers create an incident log, whether big or small.

"It doesn't matter the scale of the issue, because it is oftentimes the littlest things that become some of the biggest problems later," Mr. Yenamandra said.

After the log is created, a third-party vendor or expert should ascertain the priority of each issue to determine the next steps. In some cases, the breach should be reported, but in other cases a firm only needs to draft a plan to avoid a re-occurrence, he said.

"The rule of thumb is any time there is a kind of account that has been compromised that could have revealed personally identifiable information data for one client or more than one client, that for us is when the eyebrows start to go up," Mr. Yenamandra said.

But with cybersecurity becoming a top priority for regulators, it won't be as easy for advisers to slip by with an unreported case, said Brian Edelman, chief executive of Financial Computer Services, a cybersecurity firm.

"Prior to this year, it was a possibility they wouldn't get caught," Mr. Edelman said. "I will promise you that now if an adviser has a cyber breach, the world will know."

R.T. Jones, for instance, recently agreed to pay $75,000 to settle SEC charges that the firm failed to have a cybersecurity policy in place before a computer breach compromised the personal information of 100,000 individuals.

On top of an incident log, advisers should follow the guidelines for adviser examinations set forth by the regulators, which would drastically improve cybersecurity measures for the firm. Mr. Edelman said it doesn't cost a lot of money to have a strong cybersecurity plan, it's just a matter of implementing best practices.

It also saves money down the line.

"Advisers who don't take [the] appropriate measures [that are] outlined specifically have a huge financial risk that, if they follow what the SEC and Finra have put together, would not exist," he said.

Mr. Yenamandra said regulators are going to get tougher on cybersecurity. Not only in exams, but through proactive initiatives, he said.

Mr. Hamburger isn't so sure, though. He said regulators will continue to make noise but need to be more engaged in making rules.

"If they want to have a meaningful impact, your actions should be aligned with your words," Mr. Hamburger said. "This will continue to be a significant issue, more and more as we go forward with a reliance on electronic records."


What do you think?

View comments

Recommended for you

Sponsored financial news

Upcoming Event

Oct 17


Best Practices Workshop

For the fifth year, InvestmentNews will host the Best Practices Workshop & Awards, bringing together the industry’s top-performing and most influential firms in one room for a full-day. This exclusive workshop and awards program for the... Learn more

Featured video


What does the adviser of the future need in their toolbox?

Advisers continue to embrace all of the new offerings and products the fintech space has to offer. But what else can help them improve their business?

Video Spotlight

Are Your Clients Prepared For Market Downturns?

Sponsored by Prudential

Video Spotlight

Path to growth

Video Spotlight

Path to growth

Latest news & opinion

With margins crashing, broker-dealers look to merge: report

Increased regulation is straining profit margins among broker-dealers, sending many of them into the arms of their bigger brethren.

Top 10 financial firms ranked by investor satisfaction

Find out which firm took the top slot for overall investor satisfaction for the second year in a row.

What not to say to clients when the markets drop

Here's what advisers should steer clear of saying the next time stocks turn downward.

SEC bars former rep for alleged share price manipulation

George Thoreson tried to keep penny stock's price high to enable Nasdaq listing.

Nevada fiduciary law raises concerns among retirement professionals, brokerage industry

Critics complain that it conflicts with ERISA and SEC rules and has potential to spur other states to pass their own version of a fiduciary rule.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print