Cyberthreats are growing and taking ever-more menacing forms. In corporate America, recent victims include such high-profile names as Sony, J.P. Morgan, Target and Morgan Stanley. Across the wealth management industry, advisors and their firms are feeling the impact of increased attacks.
According to a report from the SEC, 88% of broker-dealers and 74% of RIAs say they have been the target of some kind of cyberattack.
A data breach or hacking attack creates enormous headaches and costly business disruptions. At firms that handle sensitive client data, executives, technology officers and regulators are therefore paying increasing attention to cybersecurity. Advisors also have responsibilities.
Indeed, advisors have as much at stake their very practices as anyone else. And, according to security officers at wealth management firms, they know it; advisors are increasingly asking questions about how to better protect themselves and their clients.
"Five years ago, advisors would never have called me to ask about our firm's cybersecurity," says Andy Zolper, chief IT security officer at Raymond James. "Today, it's much more common. They're calling because they are concerned or they are anticipating questions from clients. Awareness is absolutely building."
Security experts say that knowing the nature of the threats and following best practices can go a long way toward keeping data safe for both advisors and clients.
KNOW THY ENEMY
To better defend their practices and clients from cyberattacks, advisors need to understand the nature of the threat.
"Despite what we read about the Sony attack, far and away in most cybersecurity incidents the motivation is financial," Zolper says. "[Hackers] may have connections to organized crime. The groups that are doing this have resources. These are organized groups with multiple lines of business, and they view cyberattacks and online fraud as a lucrative business."
Phishing emails an attempt to get sensitive information by masquerading as a trusted individual remain a common method of attack, yet one that succeeds surprisingly often.
According to the SEC's data, 43% of RIAs and 54% of broker-dealers reported receiving fraudulent emails seeking to transfer client funds. Just over half of those firms reported $5,000 or more in losses related to those emails.
This kind of social engineering attack is "one of the biggest threats out there," says Carlos Simoes, chief technology officer at the technology firm CircleBlack and a former director of secure design and development at UBS. "Social threats have always been around. But [the perpetrators] are getting smarter about how they do it."
Malware also continues to pose a danger. There will also be a bigger emphasis on securing phones in the future, Simoes says. As smartphones are increasingly used to carry sensitive data yet have multiple points of potential attack.
Experts say attacks have become more sophisticated, in part because the perpetrators have become more adept at imitating trusted actors, like a client or a client's spouse.
"We see less and less of the sort of hard brute-force attacks, where someone is trying to force their way into your network because the reality is that is getting hard," says Mattias Tornyi, vice president of IT at Wedbush.
Instead, attacks are focusing on stealing personal identification information, Tornyi says. He likens this to stealing the keys to the front door. "The trend here is that the bad guys are starting to realize that it is much easier, instead of breaking into your network, to just steal the keys to your network," he says. "In other words, they are focusing more and more on getting your credentials."
Privately, industry insiders say one area of weakness is clients themselves. For example, attackers hack a client's email or social media accounts. The attackers learn intimate details about him or her, then email the advisor or advisor's assistant and, using those personal details to mask the email as believable, request that funds be transferred to an account controlled by the perpetrators.
If the client is a celebrity, politician or other prominent individual, there could be additional motivations beyond the financial for perpetrators to hack into accounts. "We are seeing attacks that are focused just on finding out personal information," says Trina Spalding, IT security officer at the regional firm Hilliard Lyons. "And some are just trying to see how far they can get into your network."
Finally, advisors need to be aware of internal threats. An insider allegedly was responsible for Morgan Stanley's data breach late last year, which may have affected about 10% of the firm's clients. Disgruntled employees, whether advisors or assistants, may believe they have a reason to take malicious actions. Security experts also note that insiders may act because there is a third party pressuring them or because they are facing financial difficulties.
If threats are multiplying and intensifying, what can advisors do to contain them?
"If we are thinking about the employee financial advisor, a certain level of their cybersecurity is being managed for them," says Raymond James' Zolper. "But there is definitely a role for them being conscious of what I call basic hygiene."
Just as acts like washing one's hands can go a long way in preventing the spread of communicable diseases, certain basic practices can mitigate many of the threats faced by wealth management firms.
Have a strong password, experts say. This is perhaps the most fundamental of all protections yet the easiest to overlook.
"Most people use very simple passwords and use the same password for multiple sites. Both of those are things people shouldn't be doing," CircleBlack's Simoes says. "Do I really want to use my password for my secure banking and for my video games? Having fewer shared passwords across sites would cut down on the risks."
John Michel, CEO of CircleBlack, says advisors should be aware of how personal information available on social media pages can be used to hack passwords or answer the standard security questions asked to retrieve a lost password. "If you put your elementary school's name on your Facebook page and that's the answer to one of your security questions, then they can use that against you," he says.
Above all, don't share your passwords with an assistant to cut corners, says Zolper. It's an extremely dangerous practice. In fact, it is not easy for IT professionals at a firm's home office to tell if an advisor has shared his or her password with an assistant.
Just as an advisor would never let an assistant have operative control over a client's funds, that advisor should not be sharing passwords either, Zolper says.
Experts suggest creating strong passwords ones that are long and unique and that have a combination of letters, numbers and symbols. This is the equivalent of having a strong lock on the front door to deter criminals.
Zolper says it's equally important to ensure that personal firewalls are properly configured on PCs, data is backed up and media devices are encrypted. "An advisor putting data on a thumb drive needs to be aware that 'I need to make sure that data is encrypted.'"
Advisors also need to be careful about using consumer-grade technology, Zolper says. "Anyone can sign up for a file-sharing service and say this is great, because I can take a performance report in a PDF and share it with my clients much more easily. The security in those solutions has not been designed for the level of sensitivity of the data that our industry handles."
And using public Wi-Fi networks? "Avoiding public Wi-Fi is just a good practice," says Sam Attias, a former wirehouse advisor who is now vice president of financial services practice at the technology firm External IT. "Doing it from home is much safer than doing it from Starbucks."
Finally, advisors should be proactive. "Don't just assume it's all being taken care of," Zolper says. "Frankly, many data breaches occur because a function believed to be in place wasn't."
An attitude of vigilance can go far in protecting advisors' data as well as that of their clients, security experts say. "Advisors really need to think of themselves as the first step or shield in defensive measures," says Spalding of Hilliard Lyons. "Almost all their transactions and communications are electronic, except for maybe phone [calls]."
Zolper suggests that advisors develop the same careful mindset where cybersecurity is concerned that they already have when handling client funds. "They are hyperattuned to making sure that is done properly," he says. "I use that as an analogy with financial advisors at Raymond James. I say, 'Use that mindset when dealing with data. Who has access to it? Where is it stored?'"
Advisors should also avail themselves of educational opportunities and training offered by their firms. Raymond James, for instance, offers training and education sessions, either by phone or in person. Last year, Zolper and his team made 52 trips to about 100 branches. They are also present at Raymond James' conferences, giving presentations to advisors and running an information booth to answer questions. "We do a lot of outreach," he says.
Hilliard Lyons' Spalding says her firm offers internal resources and security awareness alerts to provide advisors with information about what to be on the lookout for. "That's the same thing that we ask our financial advisors to do," she says. "When we show them phishing emails, we say, 'Look at this; doesn't this look suspicious to you? Is it out of the ordinary for this person to ask this of you?'"
External IT's Attias says education is critical to staying a step ahead of those who would damage a practice. "The truth is," he adds, "the more you focus on this, the easier your audits will go."
Developing this kind of vigilant mindset will help make security precautions second nature and that should extend beyond the office. "A lot of us take work home, and if you do, then the rules that apply at work apply at home," says Simoes of CircleBlack.
That mindset also means being aware that security is a joint effort involving advisors, clients and the firm. Experts encourage advisors to pose questions and ask for help if they need it.
It's a constant educational process to impress on advisors that they're the first line of defense, Spalding says. "They have to have this in the forefront of their minds because they are dealing with sensitive information in an electronic world."
Tornyi of Wedbush agrees, adding that education is critical as threats evolve. "It isn't static," he says. "There are always going to be practices and things not to do. But as far as what type of threat and what they look like, that will always change."
Security experts, Zolper notes, have a saying: humans are more important than hardware. "We have some incredibly sophisticated cybersecurity procedures in place," he says. "We have done some amazing things. But without the right mindset in the advisors and associates, we are at risk. I communicate with my staff, 'Are we doing the right things in communicating with advisors? Are our messages making sense? If not, there will be a weak link somewhere.'"
For advisors, taking security messages to heart and asking the right questions can make a big difference and it can set the right tone in the branch office.
Not sure about a link or attachment you just received in an email that seems a bit suspicious? Ask IT, says Tornyi of Wedbush. "If you have a link and you have a domain name that ends in .ru, which is Russia and you don't do any business in Russia, then perhaps you shouldn't click on it," he says. "In general, financial advisors should always reach out to their IT department if they have any questions or suspect that something isn't right."
Many advisors travel to meet clients, existing or prospective, and they sometimes carry laptops, tablets, USB drives or other media devices containing sensitive data. It's a good idea to ensure that such data has been properly encrypted.
Not sure how? Call your home office or IT department, Zolper suggests. "For an employee advisor, that's a great question to ask," he says. "'I have important files on my laptop; where can I back them up? What's the authorized way to do that?'"
There are also added benefits to backing up files. "If your daughter spills apple juice on your laptop or if it gets stolen out of your vehicle, the result is the same," Zolper says. "You've lost some very important files that you cannot recreate equally."
SECURITY IN FOCUS
Zolper and others say that awareness of cyberthreats has been increasing in recent years not just among IT professionals, but also among advisors and their clients.
"Like everyone else, they are seeing cyberattacks in the press," Zolper says. "My 85-year-old mother didn't call me about cybersecurity five years ago. But now she asks me, 'Can I use Wi-Fi at the airport?'"
Wealth management executives increasingly see cybersecurity as a business risk that needs to be managed and planned for, just as they would hedge or protect against market risks. And advisors themselves are demonstrating ever-greater engagement, helping to protect their practices and their clients.
Zolper says he recently spoke with an advisor who does an annual presentation on economic and market trends for his clients. This year, the advisor included a new topic: cybersecurity.
- White House Pushes Industry on Cyberthreat Data Sharing
- SEC, FINRA Warn on Cybersecurity
- Morgan Stanley Breach: Advisor Downloaded Client Data From Across the Country