The biggest cyberthreat to a firm: Employees

The biggest cyberthreat for advisory firms may be right in the office.
Experts say internal hacking is an emerging danger for advisers, and to protect client data breaches from inside, advisers need to address security issues with employees, implement stronger policies to steer away potential data theft and keep tabs on employees’ Internet activities.
“All too often when people think of cybersecurity, they are thinking of a hacker or a virus,” Brian Edelman, chief executive of Financial Computer Services, a company that works primarily in cybersecurity, said. “It’s more than that.”
The issue of internal cyber security was in the headlines recently when Morgan Stanley claimed one of its advisers allegedly obtained data on thousands of clients. Some of the data ended up online and the question arose whether the broker sold the data — his lawyer said he did not — or whether his computer was hacked.
Morgan Stanley did not respond for comment.
“Morgan Stanley-type firms have a much different problem than a smaller or medium-sized RIA,” Greg Friedman, president of Junxure, a cloud-based customer relationship management software, said. “That being said, we should never underestimate the risk of that happening.”
Mr. Friedman, who is also the founder of the advisory firm Private Ocean Wealth Management in San Rafael, Calif., said his firm has recently decided to get cybersecurity insurance during the company’s review of insurance policies.
With the bulk of advisory firms not planning on spending money on cyber security this year even as regulators raise red flags, the issue looms large.
According to InvestmentNews‘ Outlook 2015 survey, only 30% of advisers plan to invest in cybersecurity in 2015.
Meanwhile, Securities and Exchange Commission officials believe that advisory firms face an increasing number of online attacks and the Financial Industry Regulatory Authority Inc. is examining more firms to get a handle on how they protect themselves from potential online threats.
In the SEC’s cybersecurity sweep report, the regulator found that 11% of broker-dealers and 4% of advisers reported internal hacking, but that 58% of broker-dealers and 21% of advisers have cybersecurity insurance in place.
At least one company thinks it has a solution.
External IT, which offers a cloud-based dashboard that links with 150 applications for registered investment advisers and brokers, is rolling out an upgrade to its product that focuses on internal hacks. Its new feature includes an activity page that tracks an adviser’s logins onto the system with location, time, IP address and device information. If there is a questionable login attempt, advisers will notice. At large firms, chief compliance or information officers can track the online activity of every employee through the External IT system.
External IT’s dashboard acts as the jumping off point for an adviser’s practice throughout the day, and links to applications like Salesforce and Microsoft Office. Advisory firms can decide if they want their advisers to sign in with a two-step process, which includes a token passcode to type in after a regular login and password. Firms can also implement a one-step login for web-based applications after signing into the cloud, where the adviser would not know his or her credentials to sign into the following applications.
The service costs between $150 to $200 per user per month, with an initial fee for setting up a firm’s IT system. The company has a partnership with Fidelity in which advisers custodying with Fidelity Institutional Wealth Services can access the External IT features at a reduced rate.
Sam Attias, vice president of financial services practice at External IT, said the firm is seeking to strike other partnerships with custodians, broker-dealers and advisory firm aggregators.
He added that the SEC’s cybersecurity sweep prompted the company to reevaluate its security features for advisers.
“The user now knows everything the firm can see,” Mr. Attias said. “They can pick up on a breach. It’s the visibility you had before but in a very restrictive environment.”
A more restrictive environment may be what advisory firms need.