How long can advisers get away with not reporting cyber breaches?

Some aren't complying just yet, while regulators see cybersecurity as top priority

Feb 29, 2016 @ 1:00 pm

By Alessandra Malito

Many advisory firms are playing with fire by failing to report to regulators cybersecurity breaches, both big and small, experts say.

"What we see firms are doing is really taking significant steps to avoid having to report these issues," said Brian Hamburger, CEO of MarketCounsel, a regulatory compliance consulting firm.

"These data breaches are triggered on a wide variety of potential issues; and yes they are avoidable, but it takes a deliberate effort by the adviser to ensure they are looking at this holistically."

As a result, Mr. Hamburger and other industry experts are urging financial advisers to account for and report all cyberattacks, whether in-house or from the outside, as a matter of routine due diligence and to placate regulators who are fining more firms that fail to report the attacks.

Breaches can occur as a result of just about anything — experts cited bad passwords, hacked email accounts of clients or advisers, unsecured encryption, unintentionally clicking or downloading malware, or even an unauthorized individual finding non-shredded documents in the trash.

For example, Mr. Hamburger said he has seen advisers who don't use shredders or others who recycle sheets printed with information on the back. "These breaches can occur any number of ways," he said. "They start very basic."

Advisers don't have to report everything that happens to the Securities and Exchange Commission or Financial Industry Regulatory Authority Inc., but they need to abide by the rules set by the state where they and their clients work and reside — and those rules can vary. Advisers should be aware of these policies while keeping track of any incidents as a precaution, experts said.

An External IT report from November found firms are falling short on the cybersecurity front. According to the report, they are lacking in security policy, accountability when moving data, and disaster recovery.

Sid Yenamandra, chief executive of Entreda, a cybersecurity and risk-management company, suggested that advisers create an incident log, whether big or small.

"It doesn't matter the scale of the issue, because it is oftentimes the littlest things that become some of the biggest problems later," Mr. Yenamandra said.

After the log is created, a third-party vendor or expert should ascertain the priority of each issue to determine the next steps. In some cases, the breach should be reported, but in other cases a firm only needs to draft a plan to avoid a re-occurrence, he said.

"The rule of thumb is any time there is a kind of account that has been compromised that could have revealed personally identifiable information data for one client or more than one client, that for us is when the eyebrows start to go up," Mr. Yenamandra said.

But with cybersecurity becoming a top priority for regulators, it won't be as easy for advisers to slip by with an unreported case, said Brian Edelman, chief executive of Financial Computer Services, a cybersecurity firm.

"Prior to this year, it was a possibility they wouldn't get caught," Mr. Edelman said. "I will promise you that now if an adviser has a cyber breach, the world will know."

R.T. Jones, for instance, recently agreed to pay $75,000 to settle SEC charges that the firm failed to have a cybersecurity policy in place before a computer breach compromised the personal information of 100,000 individuals.

On top of an incident log, advisers should follow the guidelines for adviser examinations set forth by the regulators, which would drastically improve cybersecurity measures for the firm. Mr. Edelman said it doesn't cost a lot of money to have a strong cybersecurity plan, it's just a matter of implementing best practices.

It also saves money down the line.

"Advisers who don't take [the] appropriate measures [that are] outlined specifically have a huge financial risk that, if they follow what the SEC and Finra have put together, would not exist," he said.

Mr. Yenamandra said regulators are going to get tougher on cybersecurity. Not only in exams, but through proactive initiatives, he said.

Mr. Hamburger isn't so sure, though. He said regulators will continue to make noise but need to be more engaged in making rules.

"If they want to have a meaningful impact, your actions should be aligned with your words," Mr. Hamburger said. "This will continue to be a significant issue, more and more as we go forward with a reliance on electronic records."


What do you think?

View comments

Recommended for you

Upcoming Event

Jul 10


Women Adviser Summit

The InvestmentNews Women Adviser Summit, a one-day workshop now held in four cities due to popular demand, is uniquely designed for the sophisticated female adviser who wants to take her personal and professional self to the next level.... Learn more

Featured video


Advisers should look beyond 529 plans for college planning

Editor Fred Gabriel talks to reporter Ryan Neal about how college-savings strategies are more important than ever as tuition costs soar.

Latest news & opinion

New ways to pay for college

Experts respond to real-life scenarios of people struggling to afford higher education.

Best- and worst-performing sector funds and ETFs this year

A rising tide may lift all ships, but a bull market doesn't lift all stock sectors. Here are the best- and worst-performing sectors this year, with the top and bottom fund in each sector.

Supreme Court ruling on SEC judges unlikely to upend advice industry

But it could give rise to new hearings for some advisers who are already in litigation with the agency such as Dawn Bennett.

It's official: DOL fiduciary rule is dead

The 5th Circuit Court of Appeals issued a mandate Thursday making its March 15 decision to strike down the regulation effective.

Advisor Group acquires Signator Investors and plans on folding it into Royal Alliance

Advisor Group takes 'orphan' broker-dealer off the hands of John Hancock Financial Services.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print