Maintaining cybersecurity and data privacy at a modern advisory firm
Data security continues to increase in importance for financial advisory firms. With the ever-growing use of data across our industry, especially sensitive financial information, financial advisory firms must ensure data privacy and security for themselves and their clients.
Unfortunately, financial advisors are prime targets for cybercriminals, whose sophisticated techniques for obtaining, using, or selling sensitive data are becoming more complex and challenging to identify.
According to Cerulli, more than 80% of advisors believe that their practice is prepared for cybersecurity threats, which may reflect overconfidence regarding elaborate and focused threats. A Chief Technology Officer (CTO) quoted in the report said, “This is concerning for smaller independent firms that piece their tech stacks together for the sake of costs because, ultimately, your preparedness is as secure as your weakest link.”
Research indicates that in Q4 2021, financial services companies reported 703 cyber attack attempts per week, representing a 53% increase over the same period in the previous year. And the financial ramifications of these violations continue to rise: IBM and the Ponemon Institute reported that the typical cost of a data breach in the financial sector was $5.72 million in 2021.
To address ongoing cybersecurity and data privacy risks, the Securities and Exchange Commission (SEC) proposed cybersecurity management rules for financial institutions in March 2022 to establish explicit cybersecurity compliance and breach notification requirements, including:
- Regular assessment of information systems, controls designed to minimize user-related risks, threat, and vulnerability management, and response and recovery procedures
- Annual reviews of the above procedures, as well as written reports detailing the review’s findings
- The requirement to report significant cybersecurity incidents to the SEC within 48 hours of the incident’s occurrence
- Disclosure of cybersecurity risks and/or incidents to clients
- The obligation to maintain records regarding cybersecurity programs for five years
Four Common Cybersecurity Threats
Cybercrime is becoming more advanced and, therefore, more challenging to stay ahead of, but there are still four common threats financial advisors can and should be vigilant about:
Phishing: Cybercriminals send emails or messages that appear to be from a reputable or well-known source, such as a financial institution, government agency, or client, to trick the recipient into providing sensitive information. Firms should implement robust training programs to ensure their employees can recognize and avoid phishing attempts.
Malware: This software is designed to harm a computer or penetrate a network. Security software can detect and remove malware, but advisors should also have procedures to respond quickly if they suspect their system has been compromised.
Ransomware: A form of malware, ransomware encrypts a user’s files and demands a ransom in exchange for the decryption key. Advisory firms need to have a disaster recovery plan that includes regular data backups to restore their systems during a ransomware attack.
Social engineering: This is the use of deception to manipulate individuals into divulging sensitive information. Falling victim to social engineering can be avoided with comprehensive employee training.
The impact of COVID-19
While it may seem counterintuitive considering the ultra-rapid acceleration of digital adoption due to COVID-19, the pandemic may have helped improve data practices in some ways. The broader adoption of digital ways of working – with an uptick in the usage of virtual meetings, client portals, and e-signatures – has improved the quality of data that firms access and how they manage and maintain it.
Client portals have proved especially useful, providing a secure way of obtaining information and making personal data available to clients. Given the high risk of human error potential, this approach is essential when using methods such as emailing or posting information to clients.
Software and technology maintenance
Keeping software and applications updated is vital to maintaining data privacy, as outdated versions often have bugs and security vulnerabilities that must be fixed. Technology providers in the advisory sector typically send out updates regularly, or as and when required, to ensure that potential system vulnerabilities are addressed. These should be applied as soon as they are received to ensure cybersecurity risks are mitigated and compliance with regulatory requirements.