TD Ameritrade Institutional's National LINC Conference kicked off Wednesday with an in-depth look at how financial advisors and their staff can best protect their clients' data while remaining in the clear with regulators.
Theresa Payton, the White House chief information officer during the George W. Bush administration, told conference attendees that hackers are now considered the biggest threat to national security. With new malware being discovered every 90 seconds and with people’s lives becoming increasingly connected with the so-called “Internet of things,” it’s impossible to make a firm completely immune to a data breach, she said.
But that doesn’t mean advisors can’t prepare. According to Payton, 95 percent of breaches in the last two years were the result of human error. Simply fooling the user caused 78 percent of these breaches.
Education and awareness go a long way, but Payton suggested a tactic based on her experience with at the White House: identify the firm’s most important assets and devote the most resources guarding them.
“If a breach is inevitable and you can’t protect it all, you’ve got to get really laser beam focused,” Payton said. “If [an] asset were held for ransom or destroyed or published on the Internet… if that would create a situation where [your firm] would cease to exist as a company, [then] that is a top-tier most critical asset.”
Once a firm’s resources are appropriately dedicated, Payton suggested adding additional layers of security and even segmenting access to it from the rest of the network. Too often, she said, firms are giving the same protection to joke emails as they are to M&A data.
“If you’re focused on the top assets, the other ones around them are going to be safer.”
Take for example the case of R.T. Jones, which in September became the first firm caught in violation of the Security and Exchange Commission’s new cybersecurity standards. Even though the firm did everything correctly after the breach and there were no victims, the SEC still hit them with a $75,000 fine.
“That was really a shot across the bow to say, ‘we don’t care what you do after the fact, we expect you to take steps and act reasonably before the breach,’” said Craig Moreshead, the director of compliance at Regulatory Compliance, who echoed Payton’s sentiment that there is no guarantee against a breach. To minimize the risk of regulatory penalty or sanctions, firms need to be proactive in minimizing risk.
The key things the SEC is looking for is a pre-determined strategy to prevent, detect and respond to threats, and that the strategy is implemented through policies, staff training, monitoring and client education. Finally, the strategy should be periodically assessed and updated.
Brian Edelman, the CEO of Financial Computer, said creating a cybersecurity assessment is actually quite similar to creating a financial plan. After assembling a team and discussing what the plan looks like, the staff collects data on the firm’s assets just like they would with a new client questionnaire. After auditing and validating the data, managers educate, send out reports, sign off on it and regularly assess and update.
Edelman also included a few concrete security suggestions: use a corporate firewall, enable encryption of your computer’s disk drive, encourage two-factor authentication, manage passwords, and never connect to a free and open Wi-Fi network.
“If you connect to an open Wi-Fi, I guarantee I can take over your computer, no matter what tools you have,” Edelman said. “If you have these tools in place, at the end of the breach you’re not going to get a fine by the SEC and you’re not going to be held to reporting requirements that you don’t want to do.”
Payton echoed this statement, saying it is much safer to rely on cell phone data or person Wi-Fi networks. If an advisor absolutely must log onto a free Wi-Fi network, they should use a Virtual Private Network and a proxy server. She added that she expects the rise of “ransomware,” malicious code names that hijack data and demand a paid ransom to release it. These often come in the form of disguised links in emails that are getting increasingly tricky, and she urged advisors to add include this sort of attack in their plan.
"What you want to be thinking about is if there is away for someone to socially engineer your company, get in the door, trick [you], and get to [your] top-10 most critical assets," Payton said. "It’s not just about training, it's designing how your data is segmented to begin with, because your employees are going to make mistakes."