Investment advisers have a great many reasons to feel anxious and not just because of the stock market's volatility. Registered investment advisers and investment adviser representatives face the risk of cyber attacks against their firms and their clients. If those risks weren't enough to cause advisers to be insecure, they also must be concerned that securities regulators will criticize their efforts to address cyber threats.
Both the Securities and Exchange Commission and state securities regulators assess RIAs' cybersecurity preparedness during compliance examinations. If examiners are disappointed with an RIA's cybersecurity efforts, the examination is likely to have an unhappy outcome.
In a June 25 speech, SEC Commissioner Luis Aguilar said, “Designating an information security officer and carrying cyber insurance are both commonsense precautions that have been shown to decrease the costs associated with data breaches, and it's disappointing so many firms fall short in these important areas.”
DON'T ASSUME YOU HAVE COVERAGE
Too many advisers assume they have cybersecurity coverage in their existing policies. They should document that they have reviewed their coverage to ascertain whether there is adequate coverage for cybersecurity events. As with any insurance policy, RIAs should take note of exclusions and deductibles. RIAs should make certain they have coverage for lawsuits arising from a cyber attack. A good policy also will cover the cost of notifying affected parties about the cyber breach. In addition, it is beneficial to have coverage for the cost of technical support to ensure that the cause of the breach has been identified and eradicated.
Policies and procedures show regulators that you take cybersecurity seriously. These policies and procedures should require the RIA to identify the cyber risks it faces and how the firm will manage them. Cybersecurity policies should be designed to protect the firm's networks and information. They also should address how the RIA will deal with the risks related to remote customer access, as well as funds transfer requests.
Policies and procedures should specify what steps will be taken to detect and eliminate unauthorized activity on the firm's website. In addition, they should spell out the cybersecurity risks arising from relationships with broker-dealers and other third parties, and how they will be addressed.
Cybersecurity policies and procedures should be communicated to all of the people associated with the firm, and RIAs should conduct cybersecurity training sessions. RIAs should also let clients and prospects know about their cybersecurity measures.
CYBERSECURITY INTERTWINED WITH MARKETING
Prospective clients are likely to question an RIA's cybersecurity efforts. If they feel insecure about your cybersecurity program, they may look elsewhere for an adviser.
On Jan. 25, the North American Securities Administrators Association issued an advisory to warn investors that they should discuss cybersecurity with their financial advisers. Among other questions, investors should ask whether the firm they are considering has addressed cybersecurity threats and vulnerabilities. Investors should also ask what safeguards are in place, such as encryption, antivirus and anti-malware programs.
In August, Reuters reported that more RIAs are attempting to educate clients about cybersecurity threats. A Pittsburgh RIA's seminar offered advice to combat cyber attacks, such as using a two-step process to log into email and creating stronger passwords. Clients were also given tips on how to evade email phishing attempts.
Providing cybersecurity education to clients and prospects can help thwart cyber crime and might be an effective marketing tool. RIAs should offer cybersecurity tips in their newsletters or on their websites. At marketing seminars or client events, RIAs should tell attendees what they do to protect their clients' privacy and confidential information.
As part of its marketing effort, one RIA arranged for a shredding service so clients and prospects might safely dispose of old paperwork and personal documents. Another firm bought an identity theft protection policy for clients.
LAPSES LEAD TO LOST CLIENTS
Cyber attacks can cause irreparable damage to an RIA. Once a firm has suffered a cybersecurity incident, clients and prospects may become very insecure about the firm's ability to protect their nest eggs. Furthermore, after an incident, an RIA may find it much more difficult to convince examiners that it takes cybersecurity seriously.
Les Abromovitz is a senior consultant with National Compliance Services and Regulatory Compliance, and the author of two books on compliance for investment advisers.