Ameriprise adviser's data breach offers cybersecurity lesson

Because employee carelessness is a leading factor in internet troubles, advisory firms should offer regular training on best practices, experts say

Dec 20, 2016 @ 1:27 pm

By Liz Skinner

Ameriprise Financial shut down the internet-connected backup drive its adviser was using to synchronize files from his office to his home as soon as it discovered client data was at risk earlier this month.

The Minneapolis-based firm, which manages about $796 billion in assets, said it was an isolated incident that pertained to only one adviser. But Ameriprise, which has about 10,000 advisers, still had to reach out to warn the clients of that unnamed adviser.

“We are taking swift and appropriate action to notify the approximately 350 impacted clients and protect their accounts from unauthorized activity,” the firm said in a statement Monday.

Stopping this kind of unsafe data handling is one of the greatest security challenges for financial firms, according to experts.

(More: Broker-dealers deploying advanced cybersecurity measures)

Careless actions of employees are responsible for about 59% of cyberattacks on businesses, according to a recent study by Kapersky Labs.

“On the technology side of things, there is an increasing sophistication of firewall protection and detection if someone suspicious gets into a financial institution's system,” said Robert Cattanach, cybersecurity expert and law partner at Dorsey & Whitney, speaking generically about the financial industry. “Human error is a hard thing.”

Firms need to have strict policies and procedures about handling data, as well as specific encryption and password rules, he said.

(More: Cybersecurity solutions to weak passwords)

Also, training needs to be nonstop, Mr. Cattanach said.

Regulators continue to push initiatives in this area.

In September, New York's Department of Financial Services proposed rules requiring financial institutions have a cybersecurity program that would protect consumers, including written policies and a designated chief information security officer to oversee and enforce the program.

The rules also would mandate cybersecurity training for employees at financial institutions and require reporting of hacking attempts to the state within 72 hours of their discovery.

And in some cases, regulators have held financial firms liable for breaches.

An investment advisory firm agreed to pay $75,000 to settle Security Exchange Commission charges last year for failing to have a cybersecurity policy in place before a computer breach compromised 100,000 individuals' personal information, including records of some of the firm's clients. The firm, R.T. Jones Capital Equities Management, stored personal client and other information on a third-party-hosted web server that was breached by an unknown hacker from China who gained access to the data, the SEC alleged.

In the Ameriprise case, Social Security numbers, bank authorization details and other information for the adviser's 350 clients were coming from a storage device in the adviser's home, according to a Dec. 15 MacKeeper blog post by internet security researcher Chris Vickery. He wrote that he found the client data on a random perusal of Shodan, a search engine for unsecured devices connected to the internet.

Mr. Vickery said he did not try to use any of the credentials to gain access to Ameriprise's internal network.

Mr. Cattanach said firms in general need to constantly be improving their cybersecurity procedures and monitors.

“Wherever we are today, tomorrow we're going to have to get better because the bad guys get better too,” he said.


What do you think?

View comments

Most watched


Young professionals see lots of opportunity to reinvent the advice experience

Members of the 2019 InvestmentNews class of 40 Under 40 have strategies to overcome the challenges of being young in a mature industry.


Young advisers envision a radically different business in five years

Fintech and sustainable investing are two factors being watched closely by some of the 2019 class of InvestmentNews' 40 Under 40.

Latest news & opinion

InvestmentNews' 2019 class of 40 Under 40

Our 40 Under 40 project, now in its sixth year, highlights young talent in the financial advice industry. These individuals illustrate the tremendous potential of those coming up in the profession. These stories will surprise, entertain, educate and inspire.

Galvin to propose fiduciary rule for Massachusetts brokers

The secretary of the commonwealth is proposing a fiduciary standard in response to an SEC investment-advice rule he views as too weak.

Summer reading recommendations from financial advisers

Here are some books that will keep you informed and entertained during summer's downtime

4 strategies for Roth conversions

There's never been a better time to do a Roth conversion, and here are several ways to go about it.

Cetera latest to be hit with data breach of personal information

Company is offering clients complimentary, two-year membership to an identity theft protection and credit monitoring service.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print