Ameriprise adviser's data breach offers cybersecurity lesson

Because employee carelessness is a leading factor in internet troubles, advisory firms should offer regular training on best practices, experts say

Dec 20, 2016 @ 1:27 pm

By Liz Skinner

Ameriprise Financial shut down the internet-connected backup drive its adviser was using to synchronize files from his office to his home as soon as it discovered client data was at risk earlier this month.

The Minneapolis-based firm, which manages about $796 billion in assets, said it was an isolated incident that pertained to only one adviser. But Ameriprise, which has about 10,000 advisers, still had to reach out to warn the clients of that unnamed adviser.

“We are taking swift and appropriate action to notify the approximately 350 impacted clients and protect their accounts from unauthorized activity,” the firm said in a statement Monday.

Stopping this kind of unsafe data handling is one of the greatest security challenges for financial firms, according to experts.

(More: Broker-dealers deploying advanced cybersecurity measures)

Careless actions of employees are responsible for about 59% of cyberattacks on businesses, according to a recent study by Kapersky Labs.

“On the technology side of things, there is an increasing sophistication of firewall protection and detection if someone suspicious gets into a financial institution's system,” said Robert Cattanach, cybersecurity expert and law partner at Dorsey & Whitney, speaking generically about the financial industry. “Human error is a hard thing.”

Firms need to have strict policies and procedures about handling data, as well as specific encryption and password rules, he said.

(More: Cybersecurity solutions to weak passwords)

Also, training needs to be nonstop, Mr. Cattanach said.

Regulators continue to push initiatives in this area.

In September, New York's Department of Financial Services proposed rules requiring financial institutions have a cybersecurity program that would protect consumers, including written policies and a designated chief information security officer to oversee and enforce the program.

The rules also would mandate cybersecurity training for employees at financial institutions and require reporting of hacking attempts to the state within 72 hours of their discovery.

And in some cases, regulators have held financial firms liable for breaches.

An investment advisory firm agreed to pay $75,000 to settle Security Exchange Commission charges last year for failing to have a cybersecurity policy in place before a computer breach compromised 100,000 individuals' personal information, including records of some of the firm's clients. The firm, R.T. Jones Capital Equities Management, stored personal client and other information on a third-party-hosted web server that was breached by an unknown hacker from China who gained access to the data, the SEC alleged.

In the Ameriprise case, Social Security numbers, bank authorization details and other information for the adviser's 350 clients were coming from a storage device in the adviser's home, according to a Dec. 15 MacKeeper blog post by internet security researcher Chris Vickery. He wrote that he found the client data on a random perusal of Shodan, a search engine for unsecured devices connected to the internet.

Mr. Vickery said he did not try to use any of the credentials to gain access to Ameriprise's internal network.

Mr. Cattanach said firms in general need to constantly be improving their cybersecurity procedures and monitors.

“Wherever we are today, tomorrow we're going to have to get better because the bad guys get better too,” he said.

0
Comments

What do you think?

View comments

Recommended for you

Sponsored financial news

Featured video

INTV

When can advisers expect an SEC fiduciary rule proposal and other regs this year?

Managing editor Christina Nelson and senior reporter Mark Schoeff Jr. discuss regulations of consequence to financial advisers in 2018, and their likely timing.

Recommended Video

Path to growth

Latest news & opinion

Fidelity charging new fee on Vanguard assets held in 401(k) plans

The 0.05% fee is ostensibly a response to Vanguard's distribution model, but may also make the company's funds less attractive due to higher cost.

UBS adviser count continues to decline

Firm to merge U.S., global wealth management units on Feb. 1

TD Ameritrade launches all-night trading for ETFs

Twelve funds now can be traded after-hours, but the list will grow, company says.

Cutting through the red tape of adviser regulation is tricky

Don't expect a simple rollback of rules under the Trump administration in 2018 — instead, regulators are on pace to bolster financial adviser oversight.

Bond investors have more to worry about than a government shutdown

Inflation worries, international rates pushing Treasuries yields higher.

X

Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print