Cybersecurity looms as adviser business threat

Firms should be ready to invest more on technologies that thwart cybercriminals

May 22, 2017 @ 6:00 am

By Liz Skinner

U.S. officials have warned for many years that cybercrime is one of the greatest threats facing the nation, and now financial advisers have to face the reality that their businesses are also vulnerable to digital attacks.

News headlines regularly carry stories of broker-dealers and advisers increasingly being targeted by sophisticated hackers aiming for clients' personal information and funds. Wealth managers also are getting more attention from regulators, which are fining financial firms that fail to be mindful of cybersecurity, including all the actions of their employees and third-party partners.

"One of the biggest risks for advisers is that their firm will suffer a cybersecurity loss greater than their business can withstand," said Bernie Clark, head of Schwab Advisor Services.

Protecting advisory businesses today — and even more so tomorrow — requires executives to deploy resources to safeguard client data and firm systems from increasingly skillful cybercriminals.

Technology plays a large role in shielding firms, but due diligence in working with outside vendors and training employees may be just as important to preventing a breach, according to experts.

Advisers should be prepared to spend larger sums on cybersecurity systems in the years to come and to approach any new technology investment and system change with an emphasis on cybersecurity considerations, said Matt Sirinides, an InvestmentNews senior research analyst who helped produce the 2017 InvestmentNews Adviser Technology Study.

That report found that about 13% of large advisory firms, those with at least $5 million in revenue already have endured a cybersecurity breach. About 6% of medium-sized firms were victims of attack, while none of the smallest firms, those with less than $1 million in revenue, said they had been breached.

Have any of your firm-level or client data ever been compromised as the result of a security breach
YesNot sure

Of the small firms, however, 6% reported that they were "not sure" if their business had been attacked, suggesting they are less sophisticated at even assessing their vulnerabilities, Mr. Sirinides said.

"Small firms are especially unprepared to handle cybersecurity issues and they most need to rely on outside help," he said.

Criminals appear to be ramping up cyberattacks aimed at small businesses, with 36% of incidents now focused on those with 100 or fewer employees, compared to 18% of attacks on small business in 2011, according to the National Cyber Security Alliance.


Fintech firms are helping arm advisers against cybercriminals, marketing systems that seek to balance online security concerns with features that still allow advisers to easily access client data and other systems from remote devices.

Some advisory firms are adopting External IT's cloud-based system for centralizing a firm's operating apps and data in one place because they don't want to take the reputational risk of an attack, said Sam Attias, External IT's managing director.

"We incorporate multifactor authentication, data encryption, security monitoring and other required controls for sensitive financial data," he said.

Firms also fear fines and other sanctions from regulators, including the Securities and Exchange Commission and the Financial Industry Regulatory Authority Inc., both of which have prioritized cybersecurity and are scrutinizing firm practices during routine examinations.

In one enforcement case finalized in June, the SEC fined Morgan Stanley Smith Barney $1 million for failing to adopt policies and procedures to safeguard client information.

Even more recently, a subsidiary of Lincoln Financial Group agreed six months ago to pay $650,000 to Finra for failing to put security policies in place that protected confidential customer information.

Oftentimes, employees' use of mobile devices can be the entry point for hackers.

"The biggest risk is the endpoint devices accessing firm data and them not being secured properly," Mr. Attias said.

In fact, in December Ameriprise Financial had to shut down the internet-connected backup drive that an adviser was using to synchronize files from his office to his home after it was discovered that client data were at risk.

Does your firm utilize encryption on its files or devices?
Is the encryption software required on all devices?
YesNoNot sure

One of the most popular defenses against hackers is encryption, which 89% of advisory firms said they use, the InvestmentNews technology study found. About three-quarters of those advisers said that encryption software is required on all computers, tablets, smartphones and other electronic devices they use at the firm to access client information.


In addition to the fintechs, the nation's large broker-dealers and custodians are helping to protect financial planners from the threat cybercriminals pose to their businesses by increasing firewall protections and detections if someone suspicious gets into a financial institution's system.

At Schwab, the custodian recently instituted an electronic approval process called e-authorization, which includes steps such as the adviser attesting that he or she has verbally confirmed the details of the wire with the client and the client receiving an electronic request for approval that can be authorized from a mobile device.

We incorporate multifactor authentication, data encryption, security monitoring and other required controls for sensitive financial data" Sam AttiasExternal ITManaging Director

"It has had one of the fastest adoption rates from advisers of anything we've introduced," Mr. Clark said. "Half of eligible transactions are already being conducted electronically."

Broker-dealers are testing adviser responses by sending out fake phishing scams and working on improvements with those who fail to avoid their traps. They're also encouraging use of dual-factor identification for client email.

But technology can only help so much because human error is often the cause of business breaches.

Careless actions of employees are responsible for about 59% of cyberattacks on businesses, according to a 2016 Kapersky Labs study. And many firms fall short when it comes to training employees on secure computer procedures.

About two-thirds of financial advisers spend two hours or less annually on cybersecurity training, according to a TD Ameritrade Institutional survey of advisers taken last year. One-third of advisers are spending 60 minutes or less a year.

"Training would be much better if it occurred more frequently for shorter periods," said Joel Bruckenstein, a financial industry technology consultant.

All firms need to have strict policies and procedures about handling data, as well as specific encryption and password rules.

"A firm's future rides on its ability to keep its clients' identity and wealth protected and secure," the InvestmentNews report concluded.


What do you think?

View comments

Upcoming event

Jul 09


Boston Women Adviser Summit

The InvestmentNews Women Adviser Summit, a one-day workshop now held in six cities due to popular demand, is uniquely designed for the sophisticated female adviser who wants to take her personal and professional self to the next level.... Learn more

Most watched


Finding innovation in your firm

Adam Holt of AssetMap explains how advisers understand they need to grow, but great innovation may be lurking right under your nose.


Finding your edge from Tony Robbins

Guru Tony Robbins has helped a lot of people, but armed with his psychology Financial Advisor Josh Nelson has helped his practice soar.

Latest news & opinion

SEC sets June 5 date for vote on Regulation Best Interest

Commission adds new item to agenda: Interpretation of broker guidance that qualifies as advice

House passes SECURE retirement bill with massive bipartisan support

The measure allows small employers to band together to offer plans and raises the RMD age. Another provision eases use of annuities in 401(k)s, which critics say goes too far

10 IBDs with the most annuity revenue

Here are the independent broker-dealers that brought in the most annuity revenue last year.

DOL sets date to propose new fiduciary rule

The regulation, expected in December, likely will be contoured to the SEC's new advice standards.

LPL expanding platform to include employee brokers

The largest IBD in the country has agreed to buy a small broker-dealer in Florida to kick off the new effort.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print