Many advisory firms are playing with fire by failing to report to regulators cybersecurity breaches, both big and small, experts say.
"What we see firms are doing is really taking significant steps to avoid having to report these issues," said Brian Hamburger, CEO of MarketCounsel, a regulatory compliance consulting firm.
"These data breaches are triggered on a wide variety of potential issues; and yes they are avoidable, but it takes a deliberate effort by the adviser to ensure they are looking at this holistically."
As a result, Mr. Hamburger and other industry experts are urging financial advisers to account for and report all cyberattacks, whether in-house or from the outside, as a matter of routine due diligence and to placate regulators who are fining more firms that fail to report the attacks.
Breaches can occur as a result of just about anything — experts cited bad passwords, hacked email accounts of clients or advisers, unsecured encryption, unintentionally clicking or downloading malware, or even an unauthorized individual finding non-shredded documents in the trash.
For example, Mr. Hamburger said he has seen advisers who don't use shredders or others who recycle sheets printed with information on the back. "These breaches can occur any number of ways," he said. "They start very basic."
Advisers don't have to report everything that happens to the Securities and Exchange Commission or Financial Industry Regulatory Authority Inc., but they need to abide by the rules set by the state where they and their clients work and reside — and those rules can vary. Advisers should be aware of these policies while keeping track of any incidents as a precaution, experts said.
An External IT report from November found firms are falling short on the cybersecurity front. According to the report, they are lacking in security policy, accountability when moving data, and disaster recovery.
Sid Yenamandra, chief executive of Entreda, a cybersecurity and risk-management company, suggested that advisers create an incident log, whether big or small.
"It doesn't matter the scale of the issue, because it is oftentimes the littlest things that become some of the biggest problems later," Mr. Yenamandra said.
After the log is created, a third-party vendor or expert should ascertain the priority of each issue to determine the next steps. In some cases, the breach should be reported, but in other cases a firm only needs to draft a plan to avoid a re-occurrence, he said.
"The rule of thumb is any time there is a kind of account that has been compromised that could have revealed personally identifiable information data for one client or more than one client, that for us is when the eyebrows start to go up," Mr. Yenamandra said.
But with cybersecurity becoming a top priority for regulators, it won't be as easy for advisers to slip by with an unreported case, said Brian Edelman, chief executive of Financial Computer Services, a cybersecurity firm.
"Prior to this year, it was a possibility they wouldn't get caught," Mr. Edelman said. "I will promise you that now if an adviser has a cyber breach, the world will know."
R.T. Jones, for instance, recently agreed to pay $75,000 to settle SEC charges that the firm failed to have a cybersecurity policy in place before a computer breach compromised the personal information of 100,000 individuals.
On top of an incident log, advisers should follow the guidelines for adviser examinations set forth by the regulators, which would drastically improve cybersecurity measures for the firm. Mr. Edelman said it doesn't cost a lot of money to have a strong cybersecurity plan, it's just a matter of implementing best practices.
It also saves money down the line.
"Advisers who don't take [the] appropriate measures [that are] outlined specifically have a huge financial risk that, if they follow what the SEC and Finra have put together, would not exist," he said.
Mr. Yenamandra said regulators are going to get tougher on cybersecurity. Not only in exams, but through proactive initiatives, he said.
Mr. Hamburger isn't so sure, though. He said regulators will continue to make noise but need to be more engaged in making rules.
"If they want to have a meaningful impact, your actions should be aligned with your words," Mr. Hamburger said. "This will continue to be a significant issue, more and more as we go forward with a reliance on electronic records."