Sponsored by The Investment Center, Inc.
Robert Fernandes
Chief Information Security Officer
The Investment Center, Inc.
Why is it important for advisors to create a cybersecurity strategy?
It first must be acknowledged that cybersecurity has been a focus for the regulators over the last few years. The importance of data security should be on the minds of all advisors. As a trusted professional, you are obligated to protect your client data as well as your branch data, which is the backbone of your practice. Data breaches are costly to both advisors and clients. With any breach, there is the risk of large fines, on top of the potential loss of money to you and your client. Any type of security infraction can ruin your reputation, even if no money is ever lost.
According to The Sophos State of Ransomware 2021 report, 54% that were hit by ransomware in the last year said the cybercriminals succeeded in encrypting their data in the most significant attack. 96% of those whose data was encrypted got their data back in the most significant ransomware attack. The average ransom paid by mid-sized organizations was US$170,404. However, on average, only 65% of the encrypted data was restored after the ransom was paid. The average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, etc. was US$1.85 million. For medium to small-sized businesses, the costs could be catastrophic, and in some cases cause the firm to go out of business.
How should advisors go about building a cybersecurity strategy?
Most wealth management firms already have policies and procedures in place which should be reviewed regularly to confirm they are up-to-date with current standards and best practices. Don't take shortcuts. This isn't just about compliance, this is about doing what your clients hired you to do in the first place, protect their assets. You can't do that if you aren't adequately securing their data. Just think about the unintended consequences if clients found out that their data was breached by their trusted financial advisor.
Start with the policies and procedures provided to you by your broker-dealer. Take them seriously, then perform your own internal risk assessment. You know your office, your business, and your clients better than anyone else. If you have staff in your office, you should make sure they understand the policies from the broker-dealer and the office policies. Look around, try to put yourself in the mindset of an attacker, look for your vulnerabilities and risks. Then find ways to prevent or mitigate those risks. You and your staff should work closely with your firm’s Cybersecurity department to help guide you through the process of establishing your office policies.
What should an advisor’s priorities be?
As mentioned, use your firm's policies and procedures as a starting point for your priorities. You and your staff should then perform an assessment. Start with a detailed spreadsheet of all locations where your client data is stored, such as computer servers, cloud service providers, third-party vendors, and other wealth management platforms, email inboxes, etc. Don't forget to include physical paper locations. Are those locations secured? If you own these systems or locations where the data is stored, work with your firm’s cybersecurity team for guidance on how to secure it properly. All third party data should be protected using encryption, strong passwords, and multi-factor authentication at a minimum. Ask them to send you their security documentation and have your firm's cybersecurity team review it to ensure that it meets their approvals.
What do you see as an industry challenge in protecting sensitive data?
When the Covid-19 pandemic hit, it was a turning point for our industry in which everything changed. Back offices and branches transformed into new work from home scenarios and this will likely end up being the new norm in some fashion. This presents a challenge because you are expected to provide the same level of security for your client data whether you are in a formal office or working from home.
The concept of security has been changing and evolving over the years, but the Covid-19 pandemic sped up this process. One key component is understanding that the data and employees are no longer in a secure fortress protected by firewalls. Today, data is spread out and so are employees. That data needs to be protected wherever it resides, and only the people who need to access should be able to in a secure fashion.
The work from home model has amplified cyberattacks. When employees are spread out, the attack surface grows. This is one of the reasons why ransomware attacks have been increasing exponentially. Ransomware is also growing due to its ease of implementation. Today, anyone can sign up with a ransomware as a service (RaaS) provider. To use such a service, the only thing that criminals have to do is enter an email list and click run. Ransomware is a huge threat to all of us right now. Everyone at every level must pay attention and proceed with extreme caution.
Where do you see opportunity?
Cybersecurity is a big topic these days with it all over news headlines and on social media. Clients will soon start asking cybersecurity questions, if they haven't already. Many advisors don't spend too much time thinking about cybersecurity issues. As a financial advisor, you view service and relationship building as key components of your practice. You should not neglect to include cybersecurity as one of those key initiatives.
Once the necessary steps to become more secure have been taken, then you can use that as a tool to attract and retain more clients. Securing client data and knowing the answers to your client’s cybersecurity questions can make a huge difference. I believe we will start seeing a new wave of clients who view cybersecurity policies and procedures as a priority in choosing an advisor. Implementing a strong cybersecurity strategy now will go a long way not only in securing and protecting your client’s data and in turn your practice, but will also be a great strategic tool helping you stand out among your competition.
