How long can advisers get away with not reporting cyber breaches?

Some aren't complying just yet, while regulators see cybersecurity as top priority

Feb 29, 2016 @ 1:00 pm

By Alessandra Malito

Many advisory firms are playing with fire by failing to report to regulators cybersecurity breaches, both big and small, experts say.

"What we see firms are doing is really taking significant steps to avoid having to report these issues," said Brian Hamburger, CEO of MarketCounsel, a regulatory compliance consulting firm.

"These data breaches are triggered on a wide variety of potential issues; and yes they are avoidable, but it takes a deliberate effort by the adviser to ensure they are looking at this holistically."

As a result, Mr. Hamburger and other industry experts are urging financial advisers to account for and report all cyberattacks, whether in-house or from the outside, as a matter of routine due diligence and to placate regulators who are fining more firms that fail to report the attacks.

Breaches can occur as a result of just about anything — experts cited bad passwords, hacked email accounts of clients or advisers, unsecured encryption, unintentionally clicking or downloading malware, or even an unauthorized individual finding non-shredded documents in the trash.

For example, Mr. Hamburger said he has seen advisers who don't use shredders or others who recycle sheets printed with information on the back. "These breaches can occur any number of ways," he said. "They start very basic."

Advisers don't have to report everything that happens to the Securities and Exchange Commission or Financial Industry Regulatory Authority Inc., but they need to abide by the rules set by the state where they and their clients work and reside — and those rules can vary. Advisers should be aware of these policies while keeping track of any incidents as a precaution, experts said.

An External IT report from November found firms are falling short on the cybersecurity front. According to the report, they are lacking in security policy, accountability when moving data, and disaster recovery.

Sid Yenamandra, chief executive of Entreda, a cybersecurity and risk-management company, suggested that advisers create an incident log, whether big or small.

"It doesn't matter the scale of the issue, because it is oftentimes the littlest things that become some of the biggest problems later," Mr. Yenamandra said.

After the log is created, a third-party vendor or expert should ascertain the priority of each issue to determine the next steps. In some cases, the breach should be reported, but in other cases a firm only needs to draft a plan to avoid a re-occurrence, he said.

"The rule of thumb is any time there is a kind of account that has been compromised that could have revealed personally identifiable information data for one client or more than one client, that for us is when the eyebrows start to go up," Mr. Yenamandra said.

But with cybersecurity becoming a top priority for regulators, it won't be as easy for advisers to slip by with an unreported case, said Brian Edelman, chief executive of Financial Computer Services, a cybersecurity firm.

"Prior to this year, it was a possibility they wouldn't get caught," Mr. Edelman said. "I will promise you that now if an adviser has a cyber breach, the world will know."

R.T. Jones, for instance, recently agreed to pay $75,000 to settle SEC charges that the firm failed to have a cybersecurity policy in place before a computer breach compromised the personal information of 100,000 individuals.

On top of an incident log, advisers should follow the guidelines for adviser examinations set forth by the regulators, which would drastically improve cybersecurity measures for the firm. Mr. Edelman said it doesn't cost a lot of money to have a strong cybersecurity plan, it's just a matter of implementing best practices.

It also saves money down the line.

"Advisers who don't take [the] appropriate measures [that are] outlined specifically have a huge financial risk that, if they follow what the SEC and Finra have put together, would not exist," he said.

Mr. Yenamandra said regulators are going to get tougher on cybersecurity. Not only in exams, but through proactive initiatives, he said.

Mr. Hamburger isn't so sure, though. He said regulators will continue to make noise but need to be more engaged in making rules.

"If they want to have a meaningful impact, your actions should be aligned with your words," Mr. Hamburger said. "This will continue to be a significant issue, more and more as we go forward with a reliance on electronic records."


What do you think?

View comments

Recommended for you

Sponsored financial news

Upcoming Event

Apr 30


Retirement Income Summit

Join InvestmentNews at the 12th annual Retirement Income Summit - the industry's premier retirement planning conference.Much has changed - and much remains to be learned. Attend and discuss how the future is full of opportunity for ... Learn more

Featured video


Geoffrey Brown: What's top of mind at NAPFA?

NAPFA is looking ahead at the rest of 2018 and has a broad agenda that includes improving diversity in the advice industry. What's next? Geoffrey Brown offers his insights.

Latest news & opinion

10 fastest-growing IBDs

These independent broker-dealers saw the biggest percentage gains in their revenue in 2017.

The unique nature of working with celebrity clients

Athletes and entertainers are just like everyone else — aside from complex tax issues, a lack of financial savvy and a need for prenups

Top 10 IBDs ranked by revenue

These independent broker dealers generated the most revenues in 2017.

8 podcasts advisers listen to when they aren't working

Listening to podcasts for the fun of it.

UBS continues to cut loans to recruits, while increasing compensation to brokers

The wirehouse reduced recruitment loans 20% and increased bonus loans 68% in the first quarter.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print