Financial advisors are partners with the firms they represent in many ways. But while firms supply research and back-office expertise, advisors are on the front lines; as a result, they get credit when things go right — and take the blame when they don’t.
The advisor/firm partnership extends to cybersecurity, which is a growing threat. At least 88% of U.S. broker-dealers and 74% of advisors were targets of cyberattacks in 2014, according to a report from the U.S. Securities and Exchange Commission published in February 2015.
Technically, firms take lead roles in protecting client data, but if advisors bring malware or viruses into their work environments, even the best-protected systems can be vulnerable.
Although cybersecurity is a shared responsibility, the bulk of the burden falls on firms. In fact, advisors — many of whom are independent — rely on systems and tools that their firm’s internal information technology (IT) departments or external entities manage.
The challenges involved for firms and their advisors are growing as they relate to cybersecurity. According to the U.S. Financial Industry Regulatory Authority’s Report on Cybersecurity Practices, published in February 2015, the three major threats facing U.S. broker-dealers are hackers, insider threats and external operational risks
Hackers, whose actions have been making headlines in recent years, need no introduction. Think of the recent data breaches that Sony Corp., Target Corp. and Ashley Madison, for example, have faced. The publicity surrounding these events is actually a positive development thanks to the public awareness that they raised.
Insider threats are less widely discussed, due to the implication that they come, most of the time, from disgruntled employees. However, the operational risks insider threats pose are significant in their own right. You don’t need to force your way into a system if you’re already inside it. External operational risks, for their part — such as natural disasters — usually originate from the intrinsic way the business is conducted.
Although advisors might not be in a position to influence their employer’s operational practices directly, they could at least conduct self-assessments of their working environments to get a clear picture of the risks they may be facing. That process includes asking questions about the organization you represent. Following are key areas to consider:
1. Does your employer have a sound cybersecurity governance framework?
Strong leadership is essential. Without a “tone at the top,” the chances your firm has implemented a successful cybersecurity program are greatly diminished.
2. Is your employer conducting regular risk assessments?
Risk assessments – which start by conducting an inventory of existing IT assets and identifying potential vulnerabilities, are the foundational tools of any governance framework and key drivers for all mitigation measures. If your employer is not regularly attempting to identify possible threats, that’s a clear signal your clients may be vulnerable.
3. Does your employer have response plans in place and test them regularly?
Don’t take for granted that theoretical action steps will work when hell breaks loose. Response plans need to be tested at least annually. On a more personal note: backups are a key element of any response plan. You need to make sure that your employer tests them periodically by trying to recover your data. That’s because if your firm loses its data, you will lose yours too. I’ve seen this being overlooked so many times with dire consequences.
4. Is your employer exercising strong due diligence across the lifecycle of vendor relationships?
Don’t take for granted the security resilience of third parties. Don’t refrain from asking for evidence to see if your employer’s suppliers/supply chain partners are secure, reliable and reputable players.
5. Is your firm’s staff well trained?
Good people, who know the issues and are trained to take them on, are the most important defence against cyberattacks. Even well intentioned staff can become inadvertent vectors for successful cyberattacks through mistakes or inattention. Effective training helps minimize potential vulnerabilities and reduces the likelihood that any attacks will be successful.
In short, cybersecurity management is a complex process that requires an effective ongoing partnership between advisors and their firms.
If you realize that major gaps exist, it’s your professional responsibility to assess if your clients’ data and interest are properly protected and to take action if they’re not. Remember that few clients will praise the investment industry or their advisors if things go right; however, everyone will feel the pain if they don’t.