Ameriprise adviser's data breach offers cybersecurity lesson

Because employee carelessness is a leading factor in internet troubles, advisory firms should offer regular training on best practices, experts say

Dec 20, 2016 @ 1:27 pm

By Liz Skinner

Ameriprise Financial shut down the internet-connected backup drive its adviser was using to synchronize files from his office to his home as soon as it discovered client data was at risk earlier this month.

The Minneapolis-based firm, which manages about $796 billion in assets, said it was an isolated incident that pertained to only one adviser. But Ameriprise, which has about 10,000 advisers, still had to reach out to warn the clients of that unnamed adviser.

“We are taking swift and appropriate action to notify the approximately 350 impacted clients and protect their accounts from unauthorized activity,” the firm said in a statement Monday.

Stopping this kind of unsafe data handling is one of the greatest security challenges for financial firms, according to experts.

(More: Broker-dealers deploying advanced cybersecurity measures)

Careless actions of employees are responsible for about 59% of cyberattacks on businesses, according to a recent study by Kapersky Labs.

“On the technology side of things, there is an increasing sophistication of firewall protection and detection if someone suspicious gets into a financial institution's system,” said Robert Cattanach, cybersecurity expert and law partner at Dorsey & Whitney, speaking generically about the financial industry. “Human error is a hard thing.”

Firms need to have strict policies and procedures about handling data, as well as specific encryption and password rules, he said.

(More: Cybersecurity solutions to weak passwords)

Also, training needs to be nonstop, Mr. Cattanach said.

Regulators continue to push initiatives in this area.

In September, New York's Department of Financial Services proposed rules requiring financial institutions have a cybersecurity program that would protect consumers, including written policies and a designated chief information security officer to oversee and enforce the program.

The rules also would mandate cybersecurity training for employees at financial institutions and require reporting of hacking attempts to the state within 72 hours of their discovery.

And in some cases, regulators have held financial firms liable for breaches.

An investment advisory firm agreed to pay $75,000 to settle Security Exchange Commission charges last year for failing to have a cybersecurity policy in place before a computer breach compromised 100,000 individuals' personal information, including records of some of the firm's clients. The firm, R.T. Jones Capital Equities Management, stored personal client and other information on a third-party-hosted web server that was breached by an unknown hacker from China who gained access to the data, the SEC alleged.

In the Ameriprise case, Social Security numbers, bank authorization details and other information for the adviser's 350 clients were coming from a storage device in the adviser's home, according to a Dec. 15 MacKeeper blog post by internet security researcher Chris Vickery. He wrote that he found the client data on a random perusal of Shodan, a search engine for unsecured devices connected to the internet.

Mr. Vickery said he did not try to use any of the credentials to gain access to Ameriprise's internal network.

Mr. Cattanach said firms in general need to constantly be improving their cybersecurity procedures and monitors.

“Wherever we are today, tomorrow we're going to have to get better because the bad guys get better too,” he said.


What do you think?

View comments

Recommended for you

Featured video


Crossmark's Rentfrow: Why should advisors care about responsible investing?

There are lot of misconceptions when it comes to socially responsible investing. Crossmark's David Rentfrow debunks the myths and discusses opportunities for advisers.

Latest news & opinion

Raymond James executives call on industry to keep broker protocol

Also ask firms to pay for the administration of the protocol to 'ensure its longevity and relevance.'

Senate committee approves tax plan but full passage not assured

Several Republican senators expressed reservations about the bill, and the GOP cannot afford too many defections.

House passes tax bill, focus turns to Senate

Tax reform legislation expected to have more of a challenge in upper chamber.

SEC enforcement of advisers drops in Trump era

The agency pursued 82 cases against advisers and firms in fiscal year 2017, down from 98 the previous year.

PIABA accuses Finra of conflicts of interest

Public Investors Arbitration Bar Association report slams self-regulator over its picks for board of governors.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print