Cybersecurity for the insecure RIA

Cybersecurity for the insecure RIA
Ways to prevent a bad outcome when examiners come to assess your cybersecurity efforts
NOV 19, 2015
Investment advisers have a great many reasons to feel anxious and not just because of the stock market's volatility. Registered investment advisers and investment adviser representatives face the risk of cyber attacks against their firms and their clients. If those risks weren't enough to cause advisers to be insecure, they also must be concerned that securities regulators will criticize their efforts to address cyber threats. Both the Securities and Exchange Commission and state securities regulators assess RIAs' cybersecurity preparedness during compliance examinations. If examiners are disappointed with an RIA's cybersecurity efforts, the examination is likely to have an unhappy outcome. In a June 25 speech, SEC Commissioner Luis Aguilar said, “Designating an information security officer and carrying cyber insurance are both commonsense precautions that have been shown to decrease the costs associated with data breaches, and it's disappointing so many firms fall short in these important areas.” DON'T ASSUME YOU HAVE COVERAGE Too many advisers assume they have cybersecurity coverage in their existing policies. They should document that they have reviewed their coverage to ascertain whether there is adequate coverage for cybersecurity events. As with any insurance policy, RIAs should take note of exclusions and deductibles. RIAs should make certain they have coverage for lawsuits arising from a cyber attack. A good policy also will cover the cost of notifying affected parties about the cyber breach. In addition, it is beneficial to have coverage for the cost of technical support to ensure that the cause of the breach has been identified and eradicated. Policies and procedures show regulators that you take cybersecurity seriously. These policies and procedures should require the RIA to identify the cyber risks it faces and how the firm will manage them. Cybersecurity policies should be designed to protect the firm's networks and information. They also should address how the RIA will deal with the risks related to remote customer access, as well as funds transfer requests. Policies and procedures should specify what steps will be taken to detect and eliminate unauthorized activity on the firm's website. In addition, they should spell out the cybersecurity risks arising from relationships with broker-dealers and other third parties, and how they will be addressed. Cybersecurity policies and procedures should be communicated to all of the people associated with the firm, and RIAs should conduct cybersecurity training sessions. RIAs should also let clients and prospects know about their cybersecurity measures. CYBERSECURITY INTERTWINED WITH MARKETING Prospective clients are likely to question an RIA's cybersecurity efforts. If they feel insecure about your cybersecurity program, they may look elsewhere for an adviser. On Jan. 25, the North American Securities Administrators Association issued an advisory to warn investors that they should discuss cybersecurity with their financial advisers. Among other questions, investors should ask whether the firm they are considering has addressed cybersecurity threats and vulnerabilities. Investors should also ask what safeguards are in place, such as encryption, antivirus and anti-malware programs. In August, Reuters reported that more RIAs are attempting to educate clients about cybersecurity threats. A Pittsburgh RIA's seminar offered advice to combat cyber attacks, such as using a two-step process to log into email and creating stronger passwords. Clients were also given tips on how to evade email phishing attempts. Providing cybersecurity education to clients and prospects can help thwart cyber crime and might be an effective marketing tool. RIAs should offer cybersecurity tips in their newsletters or on their websites. At marketing seminars or client events, RIAs should tell attendees what they do to protect their clients' privacy and confidential information. As part of its marketing effort, one RIA arranged for a shredding service so clients and prospects might safely dispose of old paperwork and personal documents. Another firm bought an identity theft protection policy for clients. LAPSES LEAD TO LOST CLIENTS Cyber attacks can cause irreparable damage to an RIA. Once a firm has suffered a cybersecurity incident, clients and prospects may become very insecure about the firm's ability to protect their nest eggs. Furthermore, after an incident, an RIA may find it much more difficult to convince examiners that it takes cybersecurity seriously. Les Abromovitz is a senior consultant with National Compliance Services and Regulatory Compliance, and the author of two books on compliance for investment advisers.

Latest News

Devoe: Record-breaking RIA M&A run led by private equity's consolidator comeback
Devoe: Record-breaking RIA M&A run led by private equity's consolidator comeback

A drop in interest rates and easier access to capital has reignited appetite among private equity-backed consolidators, who accounted for 53% of RIA deals so far this year- their highest share since 2021 according to Devoe & Company.

Fintech bytes: Advisor360, Nitrogen unveil AI updates for advisor productivity
Fintech bytes: Advisor360, Nitrogen unveil AI updates for advisor productivity

Also, Advisor CRM announces a new data integration partnership to ease the pain of client onboarding.

Bank of America, Morgan Stanley earnings roll despite roiled markets
Bank of America, Morgan Stanley earnings roll despite roiled markets

Meanwhile, Merrill Lynch intends to continue building its alternative investment platform for wealthy clients.

David Fischer of Independent Financial Group talks culture, future growth
David Fischer of Independent Financial Group talks culture, future growth

The co-founder of IFG discussed with InvestmentNews the unique opportunity that remaining independent offers to build a successful firm.

Wealth Consulting Group taps veterans from Envestnet, Emigrant Partners for new advisory board
Wealth Consulting Group taps veterans from Envestnet, Emigrant Partners for new advisory board

Three industry leaders will join the hybrid RIA's president and LPL alum, Andy Kalbaugh, to help guide its organic and merger-based growth strategy.

SPONSORED How advisors can build for high-net-worth complexity

Orion's Tom Wilson on delivering coordinated, high-touch service in a world where returns alone no longer set you apart.

SPONSORED RILAs bring stability, growth during volatile markets

Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.