Cybersecurity for advisors
Preparing for worst-case scenarios is the responsibility of financial advisors, but cybersecurity experts warn that they could be facing a catastrophe of their own if they haven’t taken the necessary steps to protect their company from cyberattacks.
James Harrison, founder and CEO of cybersecurity consulting firm Invisus, and cybersecurity expert John Sileo urge businesses, both large and small, to put a security plan in place that goes beyond the stewardship of a company IT director or tech-savvy friend.
Developing a defense strategy and a plan of action if a data breach does occur are vital to securing your company and strengthening your legal defensibility, according to Harrison. “We live in a world where data is king; data is gold. It’s worth more than many financial instruments, so third-party risk is an area that should be a part of your plan,” he said.
Phishing, hacking and other kinds of cyberattacks are nothing new to the financial services industry, but many companies face an ever-changing set of threats with the proliferation of employees working from home, making it even more important to establish digital safeguards, according to both experts.
Getting started
One of the most important parts of building a cybersecurity plan is choosing a firm that can perform security assessments, according to Sileo. “If you don’t already have an external security firm that verifies any gaps in your defenses, and I don’t care if you’re a one-person office or a thousand-person office, you need to make that an immediate priority,” he said.
Sileo urged those without a plan to consult with their colleagues in the profession for recommendations. “If you’re in some sort of business group or inside the Top of the Table group, ask who they’re using to do their security assessments, and if you don’t have that, my strong recommendation is that you go to a local community-based bank, and ask them if they can refer a reputable provider,” he said.
He says the added cost of hiring a firm to conduct a cybersecurity assessment is worth it because of changes in cybersecurity that took place during the pandemic, particularly in cloud computing. “Prevention is far cheaper than recovery.”
Harrison says the assessment will determine your vulnerabilities and whether you have a sound security plan in place. First, a consultant is going to look for a management commitment to cybersecurity, Harrison said. “So, is there somebody appointed (to oversee cybersecurity)? If you’re an independent sole proprietor, it’s you,” he said.
Those in a firm with a few partners must determine who will oversee the security program and make sure the plan complies with cybersecurity regulations, according to Harrison. “They want to see documented policies and procedures, and this is what an auditor or regulator is looking for.” That plan should include fundamental checklist items such as conducting an annual risk assessment, information on preventing data breaches and training policies for staff to follow.
Having this plan in place not only protects you, but it can give clients confidence that their information is secure, Harrison noted. “I would not say that you need to show your clients your policies and procedures, but the fact that you have them should be comforting to them — that you have a written security plan, and you’re following it and it meets the SEC and state regulations,” he said.
Closing the gap
Once that initial assessment is completed, business owners should use its findings as a starting point for establishing or building on existing policies and procedures. Sileo advises starting by identifying computers used at the company that have outdated operating systems. In some cases, computers might need to be replaced because older models might not support security updates, he says.
Those system updates are “absolutely critical” to keeping your network impenetrable, he says. That includes all electronic devices used for work — computers, tablets, cell phones and smart devices — Sileo says, recommending that firms, especially small ones, set that system updates to happen automatically “so that you are constantly updating every time there is a new threat.”
Having this plan in place not only protects you, but it can give clients confidence that their information is secure.
—James Harrison
Making sure data is encrypted is the next step to building a robust cybersecurity plan, Sileo adds. That includes all data on computers, hard drives and, perhaps most importantly, being transferred between platforms or into the cloud. “I can’t tell you the number of nonencrypted emails I see between financial planners and life insurance agents back and forth with their clients that have Social Security numbers, financial account and bank account information,” he said.
These days, however, data encryption and other security measures, such as establishing firewalls and virtual private networks (VPN), can do little to protect a company’s data when employees are working off-site, Harrison says, because hackers can access data by breaking in through an internet Wi-Fi connection. “They’ll pipe right through your VPN, right through all your multifactor authentication to get straight into your company system from your home office,” Harrison warns.
It’s a problem even the largest corporations are grappling with, but it’s one that is easily solved, Harrison says. He encourages large and small businesses to have employees sign an agreement ensuring they will follow work-from-home cybersecurity protocols. Companies should also conduct regular security checkups on Wi-Fi routers and computers used at home.
Beyond the basics
Putting the plan in place sets the stage for building a longer-term strategy for ongoing cybersecurity, such as conducting regular security checks through a third-party consultant. Going beyond your in-house IT team is necessary to remain up to date on the constantly changing threats and new regulations, according to Harrison.
Testing your vulnerabilities and staying abreast of new regulations is work that many IT professionals are unequipped to handle, he says. “Testing [vulnerabilities] from the outside-in is another area IT people typically don’t do; they don’t bring these robust tools to come in and try to hack or break through your network and see where you are potentially going to be hacked.”
Sometimes the cyberattacks come from companies you are affiliated with that have been targeted by hackers, making it harder to plug vulnerabilities, Harrison says. He noted a recent development with hedge fund managers trading shares of Fortune 500 companies where he learned that many are researching the affiliates of these companies to identify cybersecurity threats. “How are they putting us all at risk? Publicly traded companies are now going to be assigned a score related to their cybersecurity readiness, and they’re reaching down into the supply chain to validate third-party risk,” he said. That’s a model that financial advisors of all sizes should consider.
He also recommends considering purchasing cybersecurity insurance, in case efforts fail to prevent a breach. Creating a cyber risk plan can help defend your company against a security breach, but it can also strengthen your eligibility when filing a claim, if your system is hacked.
“Your cyber insurance provider isn’t going to deny you when you want to file an insurance claim,” he said, advising that small- to medium-sized companies consider a half-million to a million-dollar policy. “But you also have to understand that if you don’t have a plan in place, and you’re not doing X, Y and Z, if you’re not crossing your T’s and dotting your I’s, they’ll deny your claim and double your premium next year, so compliance is huge and building a security plan and having it documented is the simplest, easiest, most affordable way to get that done.”