Three Ways for Financial Professionals to Beef Up Their Cybersecurity

If you don’t protect your clients’ sensitive financial information from hackers and other online threats, nothing else you do for them matters.

June 24, 2020 - Three Ways for Financial Professionals to Beef Up Their CybersecurityThree Ways for Financial Professionals to Beef Up Their CybersecurityThere's a famous quote from Willie Sutton, an early 20th-century criminal. When asked why he robbed banks, Sutton responded, "Because that's where the money is." The same principle holds true for hackers targeting financial professionals. By definition, a firm's clients have assets—they are where the money is. And because a lot of critical information about those assets is now online, accessible on mobile phones, tablets and other portable platforms, that information is easy to get to and hard to protect.

A 2019 survey found that 83% of registered investment advisors cite cybersecurity as the most important compliance topic they face (the sixth year in a row that it finished at the top).¹ And yet problems still occur. A year earlier, a firm paid the SEC $1 million to settle charges related to lax cybersecurity policies and procedures. In that attack, cyber intruders posed as contractors and asked the firm to reset the passwords for thousands of its clients.² The firm had experienced similar cyber-attacks prior to that but failed to address them.

Because the threat of hacking is so prevalent, companies fall into two categories: Those that have been attacked and those that will be attacked.³ Moreover, the COVID-19 pandemic—and the likely longer-term shift to working from home—actually increases the vulnerabilities at many firms. Even with the best intentions, people who work from home can often leave applications open and laptops out, putting clients’ financial information at risk.⁴

Here are three tips for financial professionals to start getting serious about cybersecurity.

1. Know the basics. Some firms hire expensive outside consultants to handle their cyber program. It's an understandable impulse, but financial professionals can't simply hand over the car keys. You need to understand the regulatory guidelines and requirements, and you need to have a written policy in place that meets current standards.⁵ At a minimum, you should be up to speed on the following resources:

• The National Institute of Standards and Technology (NIST) issues a Cybersecurity Framework laying the basic elements of a cyber program for businesses in any industry. The framework gets updated every few years.
• The Financial Industry Regulatory Authority (FINRA) puts out a Cybersecurity Checklist for small financial professional firms. You can use it as a blueprint to assess risks and vulnerabilities, which is something you should probably be doing anyway.
• The Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations releases reports that can provide possible questions asked during a cybersecurity audit.

With these three resources, you'll be a much smarter customer for third-party cybersecurity vendors. And you may decide you want to handle some elements on your own.

2. Reinforce all hardware and software. For both employees and clients, financial professionals do not need to reinvent technology. Rather, they should rely on established tools regarding hardware and software. For example, they should have a corporate firewall in place, up-to-date anti-virus protection, and secure computers with strong passwords (or biometrics) required. When an employee leaves the firm, his or her manager, or the IT department, should be able to disable that person’s access to the firm’s system with a simple, one-step procedure.⁶

Similarly, most security vendors offer two-factor authentication. After an employee or client logs in with the correct password, the system will send an additional code to their designated mobile phone. That second code is required for access. Even if hackers obtain an employee's password, they will not gain access to the employee's account unless they also have access to the employee's mobile phone.

3. Educate your employees. People are typically the weakest link in an organization's security, in that email “phishing” messages make up about 90% of cyber-attacks. These messages try to trick an employee into clicking on an email link that lets in malware. Most employees know better, but one study determined that about 4% of employees fall for such schemes. If you have 50 financial professionals in your firm, that means two of them will take the bait.³

Because this threat is so universal, some firms invest in formal training to educate employees on the target they present to hackers, and how even seemingly harmless steps can threaten the firm's information.⁷ Some firms offer incentives, others send out internally generated phishing messages to test their employees. Whatever approach you choose, hold your employees accountable for following the organization's security policies and procedures. No deviations. No cutting corners.

Cybersecurity isn't easy, and you can never really stop protecting your firm from threats. The good news is that by following these steps and talking to clients about what you are doing to keep their information safe, you can differentiate your firm from the competition. In doing so, you will build stronger relationships with your clients and help them sleep better at night.

¹ Tracey Longo, “Cybersecurity Threats Are Top RIA Concern in 2019, IAA Survey Says,” Financial Advisor, July 8, 2019.
² “SEC Charges Firm with Deficient Cybersecurity Procedures,” SEC press release, Sept. 26, 2018.
³ Shawn Waldman, “Cyber Security Threats: Top Five Priorities Advisors Should Know, Nasdaq, Feb. 25, 2020.
⁴ Kevin Stankiewicz, “Coronavirus chaos ‘Golden Age’ for hackers,” CNBC.com, April 2, 2020.
⁵ Thomas D. Giachetti, “Don’t Let Your Cybersecurity Policy Slip,” ThinkAdvisor, March 26, 2019.
⁶ Lorie Konish, “Financial Advisors Need to Put Cybersecurity Plans to the Test” CNBC.com, Nov. 20, 2019.
⁷ Jessica Mathews, “The Cybersecurity Defense Advisors Forget,” Financial Planning, May 8, 2019.

CSC-0622-2227109-INV-E