Cybersecurity efforts still falling short at financial services firms

Report cites policy, accountability and disaster recovery as three areas of weakness

Nov 3, 2015 @ 2:43 pm

By Laura Sanicola

Financial firms — including financial advisers — are still coming up short in managing their cybersecurity efforts, according to External IT, which provides unified cloud computing to the financial services industry.

In a report titled "Financial Services Firms Face Further Scrutiny of Their Cybersecurity Practices: Is Your Firm Ready?” External IT examined structural deficiencies in how financial firms manage their cybersecurity efforts.

“Security, compliance and IT are one topic and they are interchangeable and a financial business needs to be structured that way,” said Sam Attias, managing director of financial services at External IT.

According to the report, financial cybersecurity is lacking in three key areas:

Security policy — firms fail to be proactive in their auditing of IT and IT security.

Accountability when moving company data — a firm's employees are often able to move company data to personal and home devices without accountability or tracking measures in place.

Disaster recovery — firms lack business continuity plans in place in case of emergency.

The report also found that financial firms don't properly vet third-party vendors before taking them on or use ones with inadequate technology. It recommends that firms record the software and data that vendors can access, even vendors hired to mitigate cybersecurity risks.

Brian Edelman, chief executive of Financial Computer Services, a company that works primarily in cybersecurity, said advisers often don't follow these measures because they are in the dark about where to go to get their information.

“It's not that advisers are neglecting cybersecurity measures intentionally,” Mr. Attias said, citing a lack of education and understanding as one of the biggest problems advisers face regarding cybersecurity. He recommended that advisers receive security awareness training, but emphasized that they do not need to become IT experts in order to manage their cybersecurity within their firms.

"The whole idea behind risk assessment is to verify independent third party that the firm is complying with the requirements that have been defined for them,” Mr. Edelman said. “It's a major problem when a financial adviser is not using a cybersecurity firm that understands financial services because he ends up being out of compliance as a result.”

The External IT whitepaper follows a September Securities and Exchange Commission Risk Alert on cybersecurity in which the agency's Office of Compliance Inspections and Examinations said it planned a new round of examinations to gather information on cybersecurity-related controls and assess implementation of certain firm controls. OCIE will focus on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.

A week after the risk alert was issued, the SEC fined an adviser at St. Louis-based R.T. Jones $75,000 for a breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm's clients.

Prior to the September alert, the SEC and the Financial Industry Regulatory Authority Inc. had been monitoring the compliance of financial firms with cybersecurity standards.


What do you think?

View comments

Most watched


Finding your edge from Tony Robbins

Guru Tony Robbins has helped a lot of people, but armed with his psychology Financial Advisor Josh Nelson has helped his practice soar.


Finding innovation in your firm

Adam Holt of AssetMap explains how advisers understand they need to grow, but great innovation may be lurking right under your nose.

Latest news & opinion

10 IBDs with the most annuity revenue

Here are the independent broker-dealers that brought in the most annuity revenue last year.

LPL expanding platform to include employee brokers

The largest IBD in the country has agreed to buy a small broker-dealer in Florida to kick off the new effort.

Hopes high for bill to ease small-firm adviser regulations

High-ranking, bipartisan members of the House Financial Services Committee back the legislation.

Redtail CRM data breach exposes personal client data

The information exposed includes names, addresses, dates of birth and Social Security numbers.

This strategy can double your estate-tax exemption

'Portability' allows a surviving spouse to tack the decedent's exemption on to his or her own. Despite the higher threshold for paying estate taxes in the 2017 tax law, experts recommend filing for the benefit.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print