Image Flow / Shutterstock

Three Ways for Financial Advisors to Beef Up Their Cybersecurity

If you don’t protect your clients’ sensitive financial information from hackers and other online threats, nothing else you do for them matters.

There's a famous quote from Willie Sutton, an early 20th-century criminal. When asked why he robbed banks, Sutton responded, "Because that's where the money is." The same principle holds true for hackers targeting financial advisors. By definition, a firm's clients have assets—they're where the money is. And because a lot of critical information about those assets is now online, accessible on mobile phones, tablets and other portable platforms, that information is easy to get to and hard to protect.

According to a study by the Financial Planning Association, 81 percent of advisors identify cybersecurity as a high priority, but only 36 percent of advisors say their teams understand all the issues and risks, and only 29 percent say they're prepared to manage those risks.1

That's gambling with high stakes. Nearly three in four financial advisors have been the target of a hack.2 And most advisors may be unaware that according to some estimates, the cost of remediation after a firm is hacked can range from $50,000 to more than $1 million.3

Here are three tips for financial advisors to start getting serious about cybersecurity.

1. Know the basics. Some firms hire expensive outside consultants to handle their cyber program. It's an understandable impulse, but advisors can't simply hand over the car keys. You need to understand the regulatory guidelines and requirements. At a minimum, you should be up to speed on the following resources:4

  • The National Institute of Standards and Technology (NIST) issues a Cybersecurity Framework laying the basic elements of a cyber program for businesses in any industry. The framework gets updated every few years.
  • The Financial Industry Regulatory Authority (FINRA) puts out a Cybersecurity Checklist for small advisory firms. You can use it as a blueprint to assess risks and vulnerabilities, which is something you should probably be doing anyway.
  • The Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations releases reports that can provide possible questions asked during a cybersecurity audit.

With these three resources, you'll be a much smarter customer for third-party cybersecurity vendors. And you may decide you want to handle some elements on your own.

2. Require strong passwords. For both employees and clients, financial advisors should have password policies that require a 14-character password, with a combination of letters, numbers and characters. Most security vendors offer two-factor authentication. After an employee or client logs in with the correct password, the system will send an additional code to their designated mobile phone. That second code is required for access. Even if hackers obtain an employee's password, they won't gain access to the employee's account unless they also have access to the employee's mobile phone.

Other times, employees at a firm may share passwords, or store them in a central document like a spreadsheet. Storing them in a password-protected sheet is not safe because the sheet can be easily hacked. Instead, employees should store passwords in a password manager like LastPass.3 Sometimes a client—particularly an older person who's not comfortable with technology—may offer to give an advisor the password to his account, and ask the advisor to execute a trade. To the advisor, this may seem like better service, but it's a growing problem, and one that some regulators are looking at.5

3. Educate your employees. People are typically the weakest link in an organization's security. (If one of your clients were to get hacked, his or her financial information is at risk. If an employee gets hacked, all of your clients' financial information is at risk.) Employees need to be aware of how they pose as an attractive target to hackers, and how even seemingly harmless steps can threaten the firm's information.

The firm should have formal cybersecurity training and awareness programs in place, which should get continuously updated as new threats emerge. Hold your employees accountable for following the organization's security policies and procedures. No deviations. No cutting corners.

For most firms, the biggest threat is a phishing attack, which occurs when an email from a seemingly legitimate site is used to get an employee to reveal secure information.5 But other seemingly harmless steps can create vulnerabilities. For example, employees should never log onto the firm's site from an open Wi-Fi network like a coffee shop or hotel lobby.3

Cybersecurity isn't easy, and you can never really stop protecting your firm from threats. The good news is that by following these steps and talking to clients about what you're doing to keep their information safe, you can differentiate your firm from the competition. In doing so, you'll build stronger relationships with your clients and help them sleep better at night.

1 Sarah O'Brien, "More Financial Advisors Are Upping Their Cybersecurity, Insurance Ante," CNBC, April 25, 2017.
2 Mike Schaffman, "Three Key Cybersecurity Lessons for Financial Advisors,", July 28, 2017.
3 Joel Bruckenstein, "Cyber-security Tips for Financial Advisors," Technology Tools for Today, Feb. 8, 2017.
4 Pat Cleary, "How to Build an Investment Advisor Cybersecurity Program," Alpha Architect, Nov. 7, 2017.
5 Bruce Kelly, "This is the No. 1 Cybersecurity Threat to Financial Advisors, Experts Say," InvestmentNews, Jan. 30, 2018.



© 2019 CNL Securities Corp. | All Rights Reserved.

CNL® and the Squares Within Squares design trademarks are used under license from CNL Intellectual Properties, LLC.