Financial advisers are changing their systems and procedures to protect clients and their own firms from the rising incidence of cybersecurity breaches.
Advisers are taking such steps as verifying money requests, being more careful about passwords, banning client data from laptops and conducting annual cybersecurity audits to make sure they are protected from online criminals.
Heron Financial Group has taken the aforementioned steps, and now its executives are working to make their customer relationship management system more secure. They also are looking to buy cybersecurity insurance, which increasingly is being offered by the same firms that provide advisers with errors and omissions policies.
“We're never going to be 100% secure, but if you're at 99%, you're not the lowest hanging fruit,” said Dave Edwards, founder of Heron Financial Group. “Let hackers go after those firms.”
( 10 ways advisers can improve their cybersecurity)
In two instances this year, someone took over a client's personal e-mail account, tracked emails from Heron Financial Group and then sent e-mails appearing to be from the client asking for funds to be wired. The firm's staff recognized something was off in the language of the e-mail and called the clients, foiling the fraud.
“Cybersecurity has to be one of our top business issues because we could be out of business overnight if our systems are compromised,” Mr. Edwards said.
In fact, cybersecurity has become a top business issue for many financial advisers as attacks against financial service firms are becoming more frequent and widespread. The Securities and Exchange Commission even stepped in four months ago issuing a detailed list of questions it may ask advisory firms when they are examined.
Mr. Edwards commended the SEC for being proactive on this important issue and said the checklist is helpful to firms.
“You'd be an idiot not to go down it,” he said.
Compliance professionals are getting the message. Three-quarters of financial compliance professionals listed cybersecurity as one of the firm's top issues in 2014, according to a recent survey by the Investment Adviser Association, ACA Compliance Group and Old Mutual Asset Management. Only 14% feared cybersecurity issues in 2013.
“If your business is not prepared to deal with potential cyber attacks, proprietary and other key information is at risk,” said David Tittsworth, chief executive of IAA. “And all firms, regardless of size or sophistication, must deal with potential cybersecurity threats resulting from employee behavior, whether deliberate or inadvertent.”
Mr. Tittsworth believes many firms are still in the early stages of putting together programs to judge their risks and crafting the appropriate protocols to detect, respond and recover from cyber threats.
Daniel Bernstein, director of research and development for compliance consultant MarketCounsel, said many advisers have had threats or heard about increasing problems this year and are being more vigilant about implementing the policies and procedures they already had in place to protect client data.
“Phishing scams have become more sophisticated and advisers have found themselves being used as part of an identity theft program,” Mr. Bernstein said. “You don't want clients to think you could have been in a position to stop it.”
It's important that advisers educate all their employees about cybersecurity procedures because the firm is only as safe as its weakest link, he said.
“If one person gets that phone call or e-mail that's been compromised, and if they don't have knowledge of the steps the firm has in place, the firm's at risk,” Mr. Bernstein said.