How long can advisers get away with not reporting cyber breaches?

Some aren't complying just yet, while regulators see cybersecurity as top priority

Feb 29, 2016 @ 1:00 pm

By Alessandra Malito

+ Zoom

Many advisory firms are playing with fire by failing to report to regulators cybersecurity breaches, both big and small, experts say.

"What we see firms are doing is really taking significant steps to avoid having to report these issues," said Brian Hamburger, CEO of MarketCounsel, a regulatory compliance consulting firm.

"These data breaches are triggered on a wide variety of potential issues; and yes they are avoidable, but it takes a deliberate effort by the adviser to ensure they are looking at this holistically."

As a result, Mr. Hamburger and other industry experts are urging financial advisers to account for and report all cyberattacks, whether in-house or from the outside, as a matter of routine due diligence and to placate regulators who are fining more firms that fail to report the attacks.

Breaches can occur as a result of just about anything — experts cited bad passwords, hacked email accounts of clients or advisers, unsecured encryption, unintentionally clicking or downloading malware, or even an unauthorized individual finding non-shredded documents in the trash.

For example, Mr. Hamburger said he has seen advisers who don't use shredders or others who recycle sheets printed with information on the back. "These breaches can occur any number of ways," he said. "They start very basic."

Advisers don't have to report everything that happens to the Securities and Exchange Commission or Financial Industry Regulatory Authority Inc., but they need to abide by the rules set by the state where they and their clients work and reside — and those rules can vary. Advisers should be aware of these policies while keeping track of any incidents as a precaution, experts said.

An External IT report from November found firms are falling short on the cybersecurity front. According to the report, they are lacking in security policy, accountability when moving data, and disaster recovery.

Sid Yenamandra, chief executive of Entreda, a cybersecurity and risk-management company, suggested that advisers create an incident log, whether big or small.

"It doesn't matter the scale of the issue, because it is oftentimes the littlest things that become some of the biggest problems later," Mr. Yenamandra said.

After the log is created, a third-party vendor or expert should ascertain the priority of each issue to determine the next steps. In some cases, the breach should be reported, but in other cases a firm only needs to draft a plan to avoid a re-occurrence, he said.

"The rule of thumb is any time there is a kind of account that has been compromised that could have revealed personally identifiable information data for one client or more than one client, that for us is when the eyebrows start to go up," Mr. Yenamandra said.

But with cybersecurity becoming a top priority for regulators, it won't be as easy for advisers to slip by with an unreported case, said Brian Edelman, chief executive of Financial Computer Services, a cybersecurity firm.

"Prior to this year, it was a possibility they wouldn't get caught," Mr. Edelman said. "I will promise you that now if an adviser has a cyber breach, the world will know."

R.T. Jones, for instance, recently agreed to pay $75,000 to settle SEC charges that the firm failed to have a cybersecurity policy in place before a computer breach compromised the personal information of 100,000 individuals.

On top of an incident log, advisers should follow the guidelines for adviser examinations set forth by the regulators, which would drastically improve cybersecurity measures for the firm. Mr. Edelman said it doesn't cost a lot of money to have a strong cybersecurity plan, it's just a matter of implementing best practices.

It also saves money down the line.

"Advisers who don't take [the] appropriate measures [that are] outlined specifically have a huge financial risk that, if they follow what the SEC and Finra have put together, would not exist," he said.

Mr. Yenamandra said regulators are going to get tougher on cybersecurity. Not only in exams, but through proactive initiatives, he said.

Mr. Hamburger isn't so sure, though. He said regulators will continue to make noise but need to be more engaged in making rules.

"If they want to have a meaningful impact, your actions should be aligned with your words," Mr. Hamburger said. "This will continue to be a significant issue, more and more as we go forward with a reliance on electronic records."


What do you think?

View comments

Recommended for you

Sponsored financial news

Upcoming Event

Apr 30


Retirement Income Summit

Join InvestmentNews at the 12th annual Retirement Income Summit - the industry's premier retirement planning conference.Much has changed - and much remains to be learned. Attend and discuss how the future is full of opportunity for ... Learn more

Featured video


Dynasty's Penney: How to stay ahead of the curve

With rapid evolution, financial advisers stand at a unique crossroads. Dynasty's Shirl Penney offers some simple strategies to remain a step ahead of the competition.

Video Spotlight

Will It Last As Long As Your Clients Do?

Sponsored by Prudential

Video Spotlight

The Catalyst

Sponsored by Pershing

Latest news & opinion

Voya's win in 401(k) fee suit involving Financial Engines bodes well for other record keepers

Fidelity, Aon Hewitt and Xerox HR Solutions are currently defending against similar fiduciary-breach claims.

Collective investment trusts getting more attention from 401(k) advisers

The funds are catching on due largely to lower costs and more product availability, but come with some inherent drawbacks.

Vanguard rides robo-advice wave to $65B in assets

Personal Advisor Services, four times the size of its closest competitor, combines digital and human touch.

CFPs, including brokers, may have to adhere to a stricter fiduciary duty

CFP Board revises its standards and aims to beef up fiduciary requirements of certificants.

CFP Board's proposal to expand fiduciary duty draws praise, carries risks

Some question whether brokers will drop the CFP mark or if the CFP Board will strictly enforce its new standard.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print