U.S. officials have warned for many years that cybercrime is one of the greatest threats facing the nation, and now financial advisers have to face the reality that their businesses are also vulnerable to digital attacks.
News headlines regularly carry stories of broker-dealers and advisers increasingly being targeted by sophisticated hackers aiming for clients' personal information and funds. Wealth managers also are getting more attention from regulators, which are fining financial firms that fail to be mindful of cybersecurity, including all the actions of their employees and third-party partners.
"One of the biggest risks for advisers is that their firm will suffer a cybersecurity loss greater than their business can withstand," said Bernie Clark, head of Schwab Advisor Services.
Protecting advisory businesses today — and even more so tomorrow — requires executives to deploy resources to safeguard client data and firm systems from increasingly skillful cybercriminals.
Technology plays a large role in shielding firms, but due diligence in working with outside vendors and training employees may be just as important to preventing a breach, according to experts.
Advisers should be prepared to spend larger sums on cybersecurity systems in the years to come and to approach any new technology investment and system change with an emphasis on cybersecurity considerations, said Matt Sirinides, an InvestmentNews senior research analyst who helped produce the 2017 InvestmentNews Adviser Technology Study.
That report found that about 13% of large advisory firms, those with at least $5 million in revenue already have endured a cybersecurity breach. About 6% of medium-sized firms were victims of attack, while none of the smallest firms, those with less than $1 million in revenue, said they had been breached.
Of the small firms, however, 6% reported that they were "not sure" if their business had been attacked, suggesting they are less sophisticated at even assessing their vulnerabilities, Mr. Sirinides said.
"Small firms are especially unprepared to handle cybersecurity issues and they most need to rely on outside help," he said.
Criminals appear to be ramping up cyberattacks aimed at small businesses, with 36% of incidents now focused on those with 100 or fewer employees, compared to 18% of attacks on small business in 2011, according to the National Cyber Security Alliance.
Fintech firms are helping arm advisers against cybercriminals, marketing systems that seek to balance online security concerns with features that still allow advisers to easily access client data and other systems from remote devices.
Some advisory firms are adopting External IT's cloud-based system for centralizing a firm's operating apps and data in one place because they don't want to take the reputational risk of an attack, said Sam Attias, External IT's managing director.
"We incorporate multifactor authentication, data encryption, security monitoring and other required controls for sensitive financial data," he said.
Firms also fear fines and other sanctions from regulators, including the Securities and Exchange Commission and the Financial Industry Regulatory Authority Inc., both of which have prioritized cybersecurity and are scrutinizing firm practices during routine examinations.
In one enforcement case finalized in June, the SEC fined Morgan Stanley Smith Barney $1 million for failing to adopt policies and procedures to safeguard client information.
Even more recently, a subsidiary of Lincoln Financial Group agreed six months ago to pay $650,000 to Finra for failing to put security policies in place that protected confidential customer information.
Oftentimes, employees' use of mobile devices can be the entry point for hackers.
"The biggest risk is the endpoint devices accessing firm data and them not being secured properly," Mr. Attias said.
In fact, in December Ameriprise Financial had to shut down the internet-connected backup drive that an adviser was using to synchronize files from his office to his home after it was discovered that client data were at risk.
One of the most popular defenses against hackers is encryption, which 89% of advisory firms said they use, the InvestmentNews technology study found. About three-quarters of those advisers said that encryption software is required on all computers, tablets, smartphones and other electronic devices they use at the firm to access client information.
In addition to the fintechs, the nation's large broker-dealers and custodians are helping to protect financial planners from the threat cybercriminals pose to their businesses by increasing firewall protections and detections if someone suspicious gets into a financial institution's system.
At Schwab, the custodian recently instituted an electronic approval process called e-authorization, which includes steps such as the adviser attesting that he or she has verbally confirmed the details of the wire with the client and the client receiving an electronic request for approval that can be authorized from a mobile device.
"It has had one of the fastest adoption rates from advisers of anything we've introduced," Mr. Clark said. "Half of eligible transactions are already being conducted electronically."
Broker-dealers are testing adviser responses by sending out fake phishing scams and working on improvements with those who fail to avoid their traps. They're also encouraging use of dual-factor identification for client email.
But technology can only help so much because human error is often the cause of business breaches.
Careless actions of employees are responsible for about 59% of cyberattacks on businesses, according to a 2016 Kapersky Labs study. And many firms fall short when it comes to training employees on secure computer procedures.
About two-thirds of financial advisers spend two hours or less annually on cybersecurity training, according to a TD Ameritrade Institutional survey of advisers taken last year. One-third of advisers are spending 60 minutes or less a year.
"Training would be much better if it occurred more frequently for shorter periods," said Joel Bruckenstein, a financial industry technology consultant.
All firms need to have strict policies and procedures about handling data, as well as specific encryption and password rules.
"A firm's future rides on its ability to keep its clients' identity and wealth protected and secure," the InvestmentNews report concluded.