What advisory firms should be doing on cybersecurity

Cybersecurity race
Wealth managers have fallen behind other financial firms in shoring up their cybersecurity, according to a recent survey by Arizent.

If the rising threats from malware, hacks, phishing and other breaches weren’t enough, the SEC has given financial advisors more reasons to shore up their cybersecurity.

New proposed rules issued in February would create “cybersecurity risk management” standards for all RIAs, such as new disclosures on Form ADV. It’s only the latest example of how advisory firms may be liable for breaches of the rules on top of any harm to clients, employees or their reputations from attacks by increasingly sophisticated bad actors.

Wealth managers have thus far reported a lower rate of incidents than firms from other areas of financial services. However, attacks and breaches in that sector are growing quickly, according to experts who say advisors and firms shouldn’t wait for client information to be compromised to take basic steps that banks and insurers have already adopted much more widely.

“Having a threat out there in the abstract is never as scary or real as having to deal with the real costs of a cyber breach,” said Jessica Penovich, senior director of RIA compliance firm Foreside's investment advisor consulting team. “The firms that are proactive about it and are proactive in assessing that risk and understanding where they have vulnerabilities are in a much better position.”

% of professionals who say they experienced a data breach

High stakes for safeguards
Many advisory firms and other wealth managers are failing to display that level of initiative when it comes to cybersecurity, according to a survey of 192 U.S. business leaders in the last two months of 2021 by Financial Planning’s parent firm Arizent. The group included 53 advisors and other wealth management executives sharing their biggest areas of concerns — ones which haven’t come to fruition on the same level as other financial firms. Just 19% of wealth managers reported a data breach in the last five years, compared to 41% of insurers and 48% of banks.

Asked what kind of attacks pose the greatest risk to their businesses, the most popular responses were: viruses, malware or ransomware (60%); a data breach by a hacker or another criminal element (52%); phishing or spear-phishing (50%); and an unintended breach caused by a third-party vendor (41%).

Wealth managers have ample reasons for concern, according to experts, and they haven’t been completely inactive. More than three-quarters require two-factor authorization to log in to their systems, and 79% mandate it for employees and vendors as well. Both figures are higher than that among banks and insurers.

On the other hand, wealth managers have fallen behind other financial firms when it comes to certain best practices. Only 21% conduct so-called white hat exercises in which their own team or an outside consultant attempts to hack into the infrastructure. A little more than a quarter, 28%, cut off access when they’re making patches in their systems, and just 34% periodically rehearse what they would do in the event of a breach. Wealth managers report much lower rates of adoption than professionals from other financial industries in all three categories.

Advisory and wealth firms often embrace the myth that, because they tend to be smaller firms in practices dispersed throughout the country, they’re less likely to be targeted, according to Brian Edelman, CEO of FCI, a managed security service provider to financial companies. Employees at such firms can fall into common traps such as forgetting to put security measures back in place after loosening them temporarily for any reason, Edelman said.

“When you have the ‘what if’ scenarios proactively, then you can ask yourself the question, ‘how do we prevent this from ever happening,’” he said. “Most of our best customers, unfortunately, come to us after they've had a breach, and wealth managers are being breached at an alarming rate.”

A majority of firms plan to boost cybersecurity spending

New potential regulations
The compromising of client accounts — especially their personally identifying information — carries an impact beyond the direct damage inflicted by any bad actors. In an enforcement case from last August, five firms that are part of Cetera Financial Group, Cambridge Investment Research and Advisor Group’s KMS Financial Services, paid a combined $750,000 in penalties to settle SEC allegations that they failed to protect clients’ accounts. In September 2018, Voya Financial Advisors agreed to pay $1 million to settle an SEC case accusing the firm of violating the Safeguards Rule and the Identity Theft Red Flags Rule.

Under the SEC’s proposal, RIAs would need to adopt and carry out procedures designed to prevent breaches and attacks, report “significant” incidents to the SEC as part of a new section of the Form ADV, bulk up other disclosures relating to cybersecurity, and maintain books and records about it. That means that many best practices are likely to turn into necessary actions if they’re not already part of the specifications under the guidelines of other federal agencies or state regulators.

“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisors and funds against cybersecurity threats and attacks,” SEC Chair Gary Gensler said in a February statement about the new potential standards.

The changing regulatory picture will prod other RIAs to mimic firms that have already folded cybersecurity procedures into their operations. Liberty Wealth Advisors, an RIA with $1.75 billion in assets under management, deploys “penetration tests” of its system twice a year to locate and address any deficiencies; requires a system and organizations control (SOC) II Type 2 report from every vendor evaluating their abilities to safeguard data; and carries out regular training of advisors, employees and clients, according to Chief Technology Officer Tony Brumley.

“If any data breach occurs, the business or the advisory firm in this case is actually who's accountable for the data breach,” Brumley said. “The business partner's kind of responsible, but all of the responsibility really falls back on the advisory firm.”

% who have adopted cybersecurity safeguards

3 steps RIAs should take
To help avoid a bad actor gaining access to client data or a regulator alleging deficiencies in their systems, RIAs and other wealth managers should test them regularly, according to Brumley and other experts. If their own teams don’t have the resources or personnel to act as the white hat hacker, they can hire outside firms to probe for weaknesses.

“All firms should be doing this at least once every 18 months or once a year. Once you do this exercise, you're able to tabulate a list of risk factors that you have in your organization,” said Sid Yenamandra, CEO of the Smarsh-owned RIA and brokerage compliance consultant Entreda. “You would be amazed at the kinds of gaping holes we find when we do these exercises.”

Wealthtech management consultant F2 Strategy advises clients to hire a managed service provider to conduct the testing, Director of Consulting Services Scott Lamont said in an email.

“Penetration testing is an important activity in your cybersecurity program,” Lamont said. “However, many of the wealth management firms we are working with have limited to no infrastructure of their own. What they do have is most likely limited to their corporate technology (Microsoft Office suite, etc.). We recommend they work with an MSP who can provide not only real-time support and monitoring, but also periodic testing of the firewalls, etc., to ensure they are sound.”

Advisory firms with small or even solo teams should also take a cue from star athletes who perform well under pressure, in part because they have rehearsed many of the clutch circumstances in practice sessions for years, according to experts.

“It all starts with putting together a comprehensive cybersecurity policy, and more specifically an incident response plan,” Yenamandra said. He recommends that firms practice their response to every possible type of breach or attack at least once a year as well.

For Private Advisor Group, a hybrid RIA with 700 advisors and $30 billion in client assets, having an incident response plan that the firm practices periodically is “crucial to any cybersecurity defense strategy,” Chief Information Officer Phil Coniglio said in an email. Since rushing in the moment to figure out the problem can lead to costly mistakes, he says advisory firms’ plans should include an explanation of its measures in each phase of an incident, an outline of procedures to follow and a designation of each team member’s role in them.

“Having a written incident response plan is just the beginning,” Coniglio said. “In order to ensure it’s effective, it must be tested periodically. For example, last year, Private Advisor Group went through a ransomware response exercise where the team outlined and discussed every step we would take and the time frame for addressing a hypothetical, yet common, ransomware attack scenario, something all wealth management firms should know how to navigate.

Tightening up any loopholes in firms’ systems on a regular basis, or “patching” them, is also important for cyber safety. Advisory firms should prohibit external data access in the time between the announcement of a patch and implementation of it, according to experts.

“I would always recommend minimizing access to data to only critical users of that data,” Foreside’s Penovich said. “Making sure that the security is up to date before having that system online is very important.”

The turnkey asset management program and outsourced investment technology firm AssetMark uses a “fairly automated” patching schedule with the vendors involved with the firm’s eWealthManager portal releasing their updates on a regular schedule, according to Jim Attaway, the firm’s chief information security officer.

“All of our patching is done offline, and then we roll things in,” Attaway said. “We decommission the old and bring in the new, so there's no chance for bad actors to get in the middle of that. … Any sort of malware that hits the environment that requires immediate action goes through an accelerated schedule.”

Looking forward
More help for RIAs is likely on the way. More than three-quarters of the respondents in the Arizent survey expect their cybersecurity budgets to grow in 2022. Over half of the wealth managers, 53%, said they believe the spending will increase by more than 10% from the previous year. Wealth managers who take the necessary steps to protect their clients, advisors and employees and document them fully could get ahead of the threats of attack and the risk of costly enforcement actions, said FCI’s Edelman.

“The authorities will accuse the advisor of being the bad actor first,” said Edelman, noting that it can become very helpful for firms that show evidence of their safeguards in writing. If not, he added, “You're not only going to be a victim of the bad actor, but you're going to be a victim of the system. We call that double victimization.”

For reprint and licensing requests for this article, click here.
Practice and client management Cyber security Data and information management SEC Cybersecurity and advisors 2022
MORE FROM FINANCIAL PLANNING