We’ve become accustomed to seeing headlines about major cyberattacks or cybersecurity breaches in a range of industries from internet and technology firms to major retailers to national health care systems. But financial advisors have always been particularly alluring targets for cyberattacks, with one out of five wealth managers reporting data breaches over the past five years in the 2022 Arizent State of Cybersecurity Survey. It’s a situation only intensified by the industry’s COVID-era move to digital communication.
And with new rules proposed by the SEC in February, there is added urgency on the cybersecurity risk management front for financial advisors. These rules would create standards requiring advisors to adopt and implement written cybersecurity policies and procedures designed to address risks that could harm clients. They would also require advisors to report significant cybersecurity incidents to the SEC on a new section of Form ADV.
Also per the proposed rules, advisors would have to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements. The rules would also set forth new advisor recordkeeping requirements designed to improve the availability of cybersecurity-related information and help facilitate the SEC’s inspection and enforcement capabilities.
That’s in addition to the CFP Board’s Code of Ethics and Standards of Conduct, which requires financial advisors to take reasonable steps to protect the security of all non-public client information they store electronically. And FINRA has also delivered guidance on cybersecurity for financial advisors. Taken together, this means that advisors can no longer just respond after-the-fact to cybersecurity incidents. Instead, you need to take proactive steps to protect your firm and your clients’ data from cyberattacks.
According to the Arizent survey, financial advisors view malware or ransomware attacks as the greatest potential cyberthreat to their firm (listed by 60% of respondents). This was followed by data breaches by hackers or another criminal element (52%), phishing or spear-phishing (50%) and an unintended breach caused by a third-party vendor (41%).
The good news is that many financial advisors recognize the danger cyberattacks pose to their firms. According to a 2022 survey conducted by PricewaterhouseCoopers, 48% of CEOs at wealth management firms consider cyberattacks to be the greatest threat to their future growth. Even more importantly, they’re taking proactive steps to guard against cybercrime. For example, more than three-quarters of those surveyed require two-factor authentication to log into their systems and around half conduct routine and third-party vulnerability assessments, according to the Arizent survey. About the same percentage say they plan to boost spending on cybersecurity this year, with half planning to boost spending by 10% or more.
But advisors are lacking when it comes to some areas of building strong cyber defenses. For example, just 21% perform tests in which they or an outside entity tries to break into their systems. And only about one-third periodically rehearse what they would do if a data breach or cyberattack were to occur, according to the Arizent survey.
Guarding against cyberattacks and minimizing the potential damage if an attack occurs requires planning and diligence. Here are six practical steps you can take now to protect your firm.
1. Educate your staff about cybersecurity risks
The main point of entry for cyber criminals often isn’t through technology, but through people. This makes it critical to train your employees to recognize common cybersecurity threats and take action against them. Remember: Your firm’s defenses are only as strong as your weakest link. All it takes is one employee to click on a scam link to potentially expose your entire firm to a costly cyberattack.
2. Test your IT infrastructure and systems regularly
The best way to test your systems is to conduct “white hat” exercises or penetration tests where team members or an outside entity, such as a security consultant, tries to hack into your system or probe for weaknesses. Some cybersecurity experts recommend conducting such tests every 12 to 18 months. The test will help reveal specific cybersecurity risks and deficiencies you can focus on eliminating.
3. Create an incident response plan
Even if you take every recommended precaution, there’s still a decent chance you might be victimized by a cyberattack. This makes it critical to have a plan for how to respond and to minimize the potential damage. Your incident response plan should detail the procedures your firm will follow after a cyberattack, including the specific roles of key personnel.
4. Back up regularly and keep your operating systems updated
Ransomware, a type of cyberattack in which thieves steal data and hold it for ransom, has become one of the most common types of attacks. Backing up your data regularly is the best defense against ransomware as it removes the criminal’s leverage. Failure to update operating systems leaves systems vulnerable to attack because outdated systems can’t be automatically patched. Avoid this by enabling automatic updates for all of your systems, software and phone apps.
5. Use MFA
Passwords are an essential part of staying secure but they’re not infallible. Far too often, passwords are reused or not strong enough to withstand a brute force attack. MFA, or multifactor authentication, is a digital authentication method based on two or more verification factors from the user. Any time an account offers MFA or 2FA security measures, use them. Not enabling MFA is a security risk you can no longer afford.
6. Monitor your vendors’ cybersecurity practices
Lax cybersecurity by third-party vendors could expose your firm to risks. In fact, 63% of data breaches originate from a third-party’s vulnerability, according to the SEC .