Financial advisers should be spending about three times as much time training their staff each year on how to protect the firm and client data from cybersecurity dangers, experts said.
About two-thirds of financial advisers spend two hours or less annually on cybersecurity training, according to a TD Ameritrade Institutional survey of advisers taken last year. One third of advisers are spending an hour or less.
“Most firms do it only once a year and cram in an hour or two, and that's totally insufficient,” said Joel Bruckenstein, a financial industry technology consultant. “Training would be much better if it occurred more frequently for shorter periods.”
Firms generally should aim to provide about 30 minutes of training each month to everyone at the firm, going over the latest cyberscams that are going around and reminding everyone about safe online procedures and password safety, he said.
About 6% of firms spend seven hours or more on cybersecurity training, the survey found.
The cybersecurity guidance issued by the Security and Exchange Commission's Office of Compliance Inspections and Examinations said employees can be a firm's first line of defense if they are properly trained to recognize suspicious activity and understanding the firm's procedures when it comes to reporting issues. Without proper training, though, employees can put a firm's data at risk, it said.
Jared Hoffman, managing director of operations for Buckingham Strategic Wealth, said his firm recognizes the importance of training and hosts several mandatory sessions for employees every year, as well as additional specialized sessions every couple of months.
“This is not a one-time thing. It's constantly evolving because there are new, big scams all the time,” he said.
Training that focuses on specific examples of, for instance, a social engineering email or a fake call from the Internal Revenue Service, are especially effective at making employees see their vulnerabilities and understanding the seriousness of the issue, he said.
“We keep adapting the presentations to what's happening in the real world,” Mr. Hoffman said.
Careless actions of employees are responsible for about 59% of cyberattacks on businesses, according to a recent study by Kapersky Labs.
Last year Ameriprise Financial had to take action when one of its advisers was discovered to be putting client data at risk by synchronizing files from his office to his home in an unsecure way. The Minneapolis-based firm had to reach out to warn clients about the risk.
About 3% of advisers said they've had firm-level or client data compromised because of a security breach, according to preliminary data from a recent InvestmentNews adviser technology benchmarking study. About 4% of advisers were not sure if data had been compromised, the study found.
The areas that SEC examiners may look at when they evaluate a firm's cybersecurity preparedness focus on how training is tailored to specific job functions and how the training encourages employees to be responsible, the OCIE guide said.
Brian Edelman, chief executive of Financial Computer Inc., said advisory firms should make sure they are following all the guidance from the SEC if they want to make it through an examination.
“This isn't something the regulators are grading, they just want to see that you're acting on this,” he said.
About half of advisory firms have documented cybersecurity training plans and procedures in place, the TD Ameritrade Institutional survey found.