Cybersecurity looms as adviser business threat

Firms should be ready to invest more on technologies that thwart cybercriminals
MAY 22, 2017

U.S. officials have warned for many years that cybercrime is one of the greatest threats facing the nation, and now financial advisers have to face the reality that their businesses are also vulnerable to digital attacks.

News headlines regularly carry stories of broker-dealers and advisers increasingly being targeted by sophisticated hackers aiming for clients' personal information and funds. Wealth managers also are getting more attention from regulators, which are fining financial firms that fail to be mindful of cybersecurity, including all the actions of their employees and third-party partners.

"One of the biggest risks for advisers is that their firm will suffer a cybersecurity loss greater than their business can withstand," said Bernie Clark, head of Schwab Advisor Services.

Protecting advisory businesses today — and even more so tomorrow — requires executives to deploy resources to safeguard client data and firm systems from increasingly skillful cybercriminals. Technology plays a large role in shielding firms, but due diligence in working with outside vendors and training employees may be just as important to preventing a breach, according to experts. Advisers should be prepared to spend larger sums on cybersecurity systems in the years to come and to approach any new technology investment and system change with an emphasis on cybersecurity considerations, said Matt Sirinides, an InvestmentNews senior research analyst who helped produce the 2017 InvestmentNews Adviser Technology Study. That report found that about 13% of large advisory firms, those with at least $5 million in revenue already have endured a cybersecurity breach. About 6% of medium-sized firms were victims of attack, while none of the smallest firms, those with less than $1 million in revenue, said they had been breached.
Have any of your firm-level or client data ever been compromised as the result of a security breach
YesNot sure

Of the small firms, however, 6% reported that they were "not sure" if their business had been attacked, suggesting they are less sophisticated at even assessing their vulnerabilities, Mr. Sirinides said. "Small firms are especially unprepared to handle cybersecurity issues and they most need to rely on outside help," he said. Criminals appear to be ramping up cyberattacks aimed at small businesses, with 36% of incidents now focused on those with 100 or fewer employees, compared to 18% of attacks on small business in 2011, according to the National Cyber Security Alliance. TECH ROLE Fintech firms are helping arm advisers against cybercriminals, marketing systems that seek to balance online security concerns with features that still allow advisers to easily access client data and other systems from remote devices. Some advisory firms are adopting External IT's cloud-based system for centralizing a firm's operating apps and data in one place because they don't want to take the reputational risk of an attack, said Sam Attias, External IT's managing director. "We incorporate multifactor authentication, data encryption, security monitoring and other required controls for sensitive financial data," he said. Firms also fear fines and other sanctions from regulators, including the Securities and Exchange Commission and the Financial Industry Regulatory Authority Inc., both of which have prioritized cybersecurity and are scrutinizing firm practices during routine examinations. In one enforcement case finalized in June, the SEC fined Morgan Stanley Smith Barney $1 million for failing to adopt policies and procedures to safeguard client information. Even more recently, a subsidiary of Lincoln Financial Group agreed six months ago to pay $650,000 to Finra for failing to put security policies in place that protected confidential customer information. Oftentimes, employees' use of mobile devices can be the entry point for hackers. "The biggest risk is the endpoint devices accessing firm data and them not being secured properly," Mr. Attias said. In fact, in December Ameriprise Financial had to shut down the internet-connected backup drive that an adviser was using to synchronize files from his office to his home after it was discovered that client data were at risk.
Does your firm utilize encryption on its files or devices?
Is the encryption software required on all devices?
YesNoNot sure

One of the most popular defenses against hackers is encryption, which 89% of advisory firms said they use, the InvestmentNews technology study found. About three-quarters of those advisers said that encryption software is required on all computers, tablets, smartphones and other electronic devices they use at the firm to access client information. CORPORATE RESOURCES In addition to the fintechs, the nation's large broker-dealers and custodians are helping to protect financial planners from the threat cybercriminals pose to their businesses by increasing firewall protections and detections if someone suspicious gets into a financial institution's system. At Schwab, the custodian recently instituted an electronic approval process called e-authorization, which includes steps such as the adviser attesting that he or she has verbally confirmed the details of the wire with the client and the client receiving an electronic request for approval that can be authorized from a mobile device.
We incorporate multifactor authentication, data encryption, security monitoring and other required controls for sensitive financial data" Sam AttiasExternal ITManaging Director

"It has had one of the fastest adoption rates from advisers of anything we've introduced," Mr. Clark said. "Half of eligible transactions are already being conducted electronically." Broker-dealers are testing adviser responses by sending out fake phishing scams and working on improvements with those who fail to avoid their traps. They're also encouraging use of dual-factor identification for client email. But technology can only help so much because human error is often the cause of business breaches. Careless actions of employees are responsible for about 59% of cyberattacks on businesses, according to a 2016 Kapersky Labs study. And many firms fall short when it comes to training employees on secure computer procedures. About two-thirds of financial advisers spend two hours or less annually on cybersecurity training, according to a TD Ameritrade Institutional survey of advisers taken last year. One-third of advisers are spending 60 minutes or less a year. "Training would be much better if it occurred more frequently for shorter periods," said Joel Bruckenstein, a financial industry technology consultant. All firms need to have strict policies and procedures about handling data, as well as specific encryption and password rules. "A firm's future rides on its ability to keep its clients' identity and wealth protected and secure," the InvestmentNews report concluded.

Latest News

Judge OKs more than $90 million in settlement money for GWG investors
Judge OKs more than $90 million in settlement money for GWG investors

Mayer Brown, GWG's law firm, agreed to pay $30 million to resolve conflict of interest claims.

Fintech bytes: Orion and eMoney add new planning, investment tools for RIAs
Fintech bytes: Orion and eMoney add new planning, investment tools for RIAs

Orion adds new model portfolios and SMAs under expanded JPMorgan tie-up, while eMoney boosts its planning software capabilities.

Retirement uncertainty cuts across generations: Transamerica
Retirement uncertainty cuts across generations: Transamerica

National survey of workers exposes widespread retirement planning challenges for Gen Z, Millennials, Gen X, and Boomers.

Does a merger or acquisition make sense for your firm? Why now is the perfect time to secure your firm’s future
Does a merger or acquisition make sense for your firm? Why now is the perfect time to secure your firm’s future

While the choice for advisors to "die at their desks" might been wise once upon a time, higher acquisition multiples and innovations in deal structures have created more immediate M&A opportunities.

Raymond James continues recruitment run with UBS, Morgan Stanley teams
Raymond James continues recruitment run with UBS, Morgan Stanley teams

A father-son pair has joined the firm's independent arm in Utah, while a quartet of planning advisors strengthen its employee channel in Louisiana.

SPONSORED RILAs bring stability, growth during volatile markets

Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.

SPONSORED Beyond the dashboard: Making wealth tech human

How intelliflo aims to solve advisors' top tech headaches—without sacrificing the personal touch clients crave