As financial professionals and their clients and members increasingly interact online, and as more data is aggregated and housed in the cloud, the threat of cybercrime compromising client and member data and opening the door to asset theft is greater than ever. To be sure, broker-dealers and custodians have made cybersecurity a priority. But while the financial firms that support financial professionals — and financial professionals themselves — regularly implement new software and procedures designed to safeguard data, the threat remains. Like Willie Sutton in the past, today’s cybercriminals are drawn to advisory accounts because that’s where the money is.
The Justice Department recently said that cybercrime is one of our greatest national threats, and Europol, the law enforcement agency of the European Union, recently noted four cybercrime trends that threaten everyone, everywhere.
- Continuing use of ransomware
This is malicious software that is covertly installed in a victim’s computer, smartphone or other device and which then mounts an extortion attack while holding the victim’s data hostage, or threatens to publish the victim’s data until a ransom is paid. Ransomware remains a top malware threat, along with banking Trojans, which are malicious programs that mislead users into opening them so that the cybercriminal can steal confidential banking and payment‑system data.
- Identity theft
This cybercrime category continues to morph as criminals discover new ways to steal identities and information. A recent Federal Trade Commission survey found that 40 million Americans were victims of fraud in 2017—an estimated 16 percent of the U.S. population.
- More sophisticated phishing
The use of fraudulent emails to induce recipients to send personal information costs businesses billions of dollars each year. An increase in phishing aimed at high-value targets has been registered by private sector security organizations. CEO fraud, a refined variant of phishing, has become a key threat to businesses of all sizes.
- Wider criminal use of data
Already exploited for financial gain, criminals increasingly employ stolen data in more complex fraud and extortion schemes.
Fortunately, only 3% of advisory firms report that any of their firm-level, client or member data ever has been compromised as the result of a security breach, according to findings of the InvestmentNews 2017 Financial professional Technology Study. That’s virtually unchanged from the 2% who reported such activity in 2015.
Another good sign is that 90% of financial professionals surveyed said that their firm has a documented cybersecurity plan in place. Nevertheless, while firm-level security measures appear to be strong, any breach could have devastating effects on however many clients and members are affected, not to mention firm and financial professional reputation and even a firm’s ongoing viability.
The bottom line is that the wealth held in accounts makes firms, clients and members vulnerable, and financial professionals should do everything possible to reduce the risk of cybercrime for their clients and educate them about cybersecurity. The following information will help do that.
Anti-cybercrime steps for financial professionals
- Assess and identify potential problems
Financial professionals should enumerate the kinds of information they keep, where it is kept and what would happen if a hacker accessed that information. What cybersecurity protections are already in place?
- Create a cybersecurity plan
To combat cybersecurity threats, develop a program that includes encrypting data and making sure that only certain people can access that data. Also, institute a policy of regularly backing up data and a detailed plan of what you would do if a hacking attack were to occur.
- Write it all down
Make sure your information technology and cybersecurity policies are written and that employees know where and what they are and get trained to execute them. Include in your documents the advice you provide to clients and members to help them reduce their risks. Have written documentation of memos, time-stamped reports and spreadsheets that prove you are doing what you say you are doing.
The following are some important dos and don’ts for financial professionals to keep in mind when executing on those three key action steps:
- Do make use of all tools available from your broker-dealer or custodian
The securities industry is investing tens of millions of dollars in cybersecurity, making tools and resources available to financial professionals and their teams. Actively seek out those tools and become known at your firm for your interest in and commitment to cybersecurity.
- Do eliminate weak links in your systems
Hackers will be turned away from systems that use strong passwords and encryption. Don’t let users share passwords. In addition to PCs, encrypt all thumb drives, cell phones and tablets. And set untended computers to lock automatically after a set number of minutes.
- Do take preparation, training and review seriously
Put effort into your plan, review it seriously on a regular basis, document that review, and make sure that all staff — including even those who don’t usually deal with clients and members or their information — are regularly trained and updated on cybersecurity policies and procedures. Since staff carelessness or inattention can be the weakest link in the defense chain, make sure that you and your staff never download an attachment or accept a request if it can’t be verified.
- Do be alert to things that don’t feel right
Suppose, for example, that a staff member receives a phone call from someone saying he’s from Microsoft tech support and has noticed a computer virus on your system. Even if the employee isn’t aware that reputable tech support operations don’t work that way, he or she should immediately sense that the call is out of the ordinary and somehow amiss. Given that feeling, the employee should hang up immediately and not let the unidentified caller connect to the firm’s system. Similarly, if you or staff receive an e-mail from a client or member saying they’ve been mugged on vacation or have lost their wallet or passport, most likely their e-mail has been hacked. Contact that person via landline or cell phone and confirm the story.
- Do educate your clients and members on how to communicate with you safely
Financial professionals should require multifactor authentication (use of a token or another identifier beyond password or ID) for communication through Gmail, Yahoo! and other major providers. This will protect them, and you, from hackers.
- Do train staff
Many cyber incidents may be preventable through employee training and preventive measures such as not opening emails or attachments from an unknown source. Most people don’t think about cybersecurity until a breach occurs. Regular training can help maintain alert levels. Create and explain communication procedures, particularly those that deal with financial movement and verifying client requests.
- Don’t keep cybersecurity a secret
The financial advice business is competitive, but there is one area where cooperation, not competition, is paramount: cybersecurity. Discuss the issue frequently with peers and share any ideas you have.
- Don’t lull yourself into thinking cybersecurity is someone else’s problem
Be alert to news and developments in cybercrime and cybersecurity and seek more information and update plans and programs accordingly. Start by identifying your three biggest potential threats and get to work addressing them.
Cybersecurity is a word that few veteran financial professionals were aware of not so long ago. Today, however, they are not only familiar with the term but realize it is essential for their clients’ and members’ financial well-being — and their own business success.
Because of its importance, cybersecurity demands the attention of financial professionals. It’s critically important that you use the tools and resources increasingly available to you to integrate cybersecurity into your financial practice or wealth management and treat it like the priority it has become.