Data breaches ratchet up risks for financial advisory firms

Financial advisory​ firms of all kinds have received fair warning that they must strengthen their data security and client identity protocols.

The warning came in the form of the revelation of the huge Equifax cybersecurity breach, the Securities and Exchange Commission breach of 2016, and acknowledgement that the Internal Revenue Service was hacked twice this year — with a February breach exposing the Social Security numbers of at least 464,000 taxpayers. Further, Yahoo revealed that a 2013 security breach exposed information on all of its 3 billion user accounts.

This means that some combination of the names, addresses, passwords, Social Security numbers, birth dates and even driver’s licenses and telephone numbers of probably all adult Americans is available for purchase somewhere on the dark web. That in turn means every client of every financial adviser likely is vulnerable to having their assets stolen.

Millions of gateways

It also means hackers have millions of potential gateways through which to access the computer systems of financial firms. Those firms, large and small, will have to continuously step up their cybersecurity efforts, and that will take time and money as the pace and sophistication of cyberattacks are increasing.

Breaches that expose clients’ private information, such as was stolen from Equifax, make clients vulnerable to phishing campaigns by hackers. According to the Identity Thrift Resource Center (ITRC) almost half of 2017 hacking attacks involved phishing. Clients might be able to reduce the threat by changing email addresses and passwords, but driver’s licenses and especially Social Security numbers remain valid long after a breach.

(More: 7 ways for advisers to help shield clients from Equifax data hack)

Registered investment advisers and brokerages must continue to upgrade their cyberdefenses if they wish to avoid finding themselves in the glare of a cyberbreach spotlight. In particular, they must strengthen their client identification protocols before any transaction is carried out or information given out.

Each company can enhance its value to clients by reaching out to them, explaining how the company is enhancing its cyberdefenses and suggesting steps clients should take to protect themselves.

Through June 30, there were 791 cybersecurity breaches in 2017 that exposed more than 12,389,462 records, before the revelation of the Equifax breach, according to the ITRC and CyberScout, which track such attacks. The number of breaches was up 29% over the same period in 2016. During all of 2016, the number of breaches increased 40% over 2015.

The Equifax breach, because it exposed Social Security numbers and driver’s license numbers, along with other personal data of 145 million consumers, was likely the most damaging, as it provided hackers with potential tools with which to access those victims’ financial accounts.

The effects of this breach will likely be felt for many years as hackers slowly make use of the information gleaned from the Equifax files. For that reason, financial institutions will have to step up their client verification practices so they do not inadvertently hand client assets over to scammers.

New threats are constantly emerging. What was a solid defense last year might well be a porous one this year. Companies will have to constantly upgrade the defenses of their computers and constantly retrain their staffs on cybersafety practices. According to ITRC, employee error or negligence, or improper disposal of files, was responsible for 9% of data exposure in the first half of 2017. The good news is that figure was down from the same period in 2016.

No company wants to suffer a breach exposing client information, or a loss of client assets. Customers stop doing business with a breached company. According to the Ponemon Institute, a cybersecurity research organization, companies suffer a 7% loss of customers after a breach is reported. For public companies, the stock price drops 5% the day the breach is reported.

This will be an ongoing battle. It will not be “one and done.”