Every advisor who participated in Investment Executive’s 2024 Report Card series was asked, in a supplementary question, to rate their firms based on the degree to which they felt confident in the cybersecurity measures in place — and the results were encouraging.
As the financial advice industry and its regulators continue to grapple with the potential risks tied to the growing use of digital tools and artificial intelligence, the advisors surveyed across this year’s three Report Cards graded their firms well, on average. Each advisor was asked to rate, on an ascending scale of zero to 10, their firm’s or bank’s efforts to increase cybersecurity and combat data attacks. The average rating, collectively, was 8.9.
The result was highest for the brokerage firms, a group assessed in the Brokerage Report Card, at 9.1. In that channel, advisors generally believed in the value of solid cybersecurity protocols. While restrictive technology measures at times hampered their system access, they felt keeping clients’ data safe was paramount.
Advisors across various brokerages cited regular training, as well as executives dedicated to investment in technology. There also were common tools such as phishing tests and multi-factor authentication. Said one brokerage advisor in Ontario, “We have to [get] an annual certification, [through] five different modules that take numerous hours to get through. It’s a pain, but I respect why they do it.” (Go to investmentexecutive.com/brcsecurity2024.)
Advisors working in the dealer and retail bank channels (polled in the Dealers’ Report Card and Report Card on Banks, respectively) held similar views but offered lower ratings than their brokerage counterparts. Both the dealer and retail bank channels gave cybersecurity measures by their firms or banks a rating of 8.6, on average.
They also commented most on their firms’ use of phishing emails and other digital testing tools to gauge advisors’ knowledge of cybersecurity. Said one dealer advisor in Quebec, “We have a lot of security measures in place, one of them being test emails to make sure that we are paying attention.”
A dealer advisor in Atlantic Canada said, “They’re doing lots of things behind the scenes, and they have [security] programs.” This advisor mentioned the use of two-factor authentication that was required after only “20 minutes of inactivity,” as well as facial recognition technology. “[My firm is] doing more than most are, in my opinion,” the advisor added.
Similarly, a dealer advisor in Alberta said, “[My firm is] doing everything they can,” including the use of the Okta Customer Identity access management service. “We have to verify our email when we log in every day, which is a little overkill, but I’d rather have it too much than not enough.”
A retail bank advisor in the Prairies said cybersecurity has been increasing “over several years.” That advisor said their institution tests how well advisors read their emails, and whether “we’re diligent and don’t click on external links. They help us to be more careful.”
Airtight security requires much more than just making sure “there’s not paperwork lying around with someone’s name on it,” said a retail bank advisor in Ontario. This advisor called their bank “very proactive” on cybersecurity, noting the use of secure emails between advisors and clients and strict network access rules regarding bring-your-own-device arrangements.
Across all channels, advisors said ongoing cybersecurity training helps them stay up-to-date on the latest technologies and processes.
“I think [my bank is] doing well here,” said a retail bank advisor in Ontario. “We get info and training, [and] testing to make sure we don’t let leaks into the system. We now have a fraud team that catches things before they happen.”
Among advisors who were less enthusiastic about their firms’ approaches to cybersecurity, lower ratings were attributable to confusion regarding security protocols at firms and banks.
“I think they have [security] guidelines, but I don’t think they put much effort [into] enforcing [them],” said a dealer advisor in British Columbia. “It’s more on us to do what’s supposed to be done.”
Another dealer advisor, in Quebec, said, “I have no idea what they do. I assume they keep things safe, and do what they’re supposed to do, but am I informed? No.”
The consensus among advisors overall was that firms were actively trying to prevent cyberattacks and guard clients’ data. However, reliance on secure technology was, and will remain, only one element.
Advisors in the retail bank space, especially, noted that client education is as important as advisor training. For example, a retail bank advisor in B.C. said, “We are trying to get ahead of these fraudsters, but there are situations I’ve seen first-hand where there’s a grey area.” They added, “We still see people get swindled out of money and we can’t cover their losses,” so client education is required.
That need for education will only increase, said a retail bank advisor in the Prairies: “In 2008, when I heard of [cyber]fraud, I was appalled. But now it’s every day. You have to try and educate your clients as much as possible … This has to be at the forefront.”
This article appears in the November issue of Investment Executive. Subscribe to the print edition, read the digital edition or read the articles online.