News Labels Financial Planning

Cybersecurity: How to prevent ‘insider accidents’

Posted by In the News No Comments

As cyberattacks have become a serious threat to the wealth management industry, many financial advisory firms have developed strong policies to prevent client data from being hacked.

However, some firms haven’t exerted the same amount of effort into training their employees or vendors to make sure these policies are correctly implemented. As a result, money spent goes down the drain, said H2L Solutions CEO Jonathan Hard during an exclusive Financial Planning webinar on cybersecurity.

According to an OCIE survey of broker-dealers and advisers, 88% of BDs and 74% of advisers have experienced cyber-related incidents, the majority of which are related to malware and fraudulent emails. Also, 25% of the BDs who suffered loss blame it on employees not following policies, which led to security compromises.

It’s important to note that not all cybersecurity breaches are external. An “insider accident” could compromise a firm’s security, Hard said. “If your employees are not properly trained — no matter what technical solution you have in place to eliminate that risk, no matter how much money you spend — you’ll still be compromised,” Hard said.

In fact, over 90% of hacks come from an unintentional inside job, said Justin Kapahi, vice preesident of solutions and security at External IT, a technology services provider for advisory firms. “All employees have the keys to the security you built up. If they hand the keys to random strangers on the street, that’s not secure,” he said.

Read more at Financial Planning

 

Fight cyber threats by stepping up policies

Posted by In the News No Comments

View of Financial Planning

Amid mounting scrutiny from regulators, experts urge advisers to step up their policies and procedures to guard against cyber threats.

Advisers have heard the warnings and seen the headlines. Cybersecurity is a threat — some say an existential one — and it isn’t going away any time soon.

So how can advisers upgrade their security posture?

Experts agree that any effective cybersecurity program must be based on a rigorous evaluation of a firm’s systems and processes to diagnose and address both internal vulnerabilities and those that can arise when working with third-party vendors.

But beyond that risk assessment, firm leaders from the principal to the chief compliance officer and the board must take steps to address the human element of the security challenge, according to Justin Kapahi, technical director in Miami at External IT, a cloud-computing services provider that works with registered investment advisers.

Many of the recent high-profile breaches have come as the result of “social engineering,” scenarios under which a scammer gains access to a system by tricking someone on the inside of the target firm, “all of which are very difficult to stop with technology,” he says.

“The biggest trend right now — and I think people do realize they need this — is to have an ongoing security awareness training program in the company,” Kapahi says.

“The bottom line is if the user isn’t trained to play defense, you can’t win the game,” he says. “You have to be constantly aware that people are trying to trick you.”

Kapahi recommends that firms consider a continuing training program that could include periodic all-hands meetings to discuss emerging threats and risks or presentations from outside experts.

He also suggests that firms put their employees to the test through security simulations, sending out a common type of phishing email to see how many people accede to an urgent request purportedly from a client demanding the swift transfer of funds to the Congo, say, or emailing around a PDF that, when opened, would simulate an infection by a Trojan.

It isn’t an idle concern. Regulators at FINRA and the Securities Exchange Commission put the industry on notice that cybersecurity is a top priority, signaling that more enforcement actions are likely.

“Cybersecurity cases are alive and well, and we anticipate we’ll be seeing a lot more of them in years to come,” Brian Rubin, a partner at securities law firm Sutherland Asbill & Brennan in Washington, said during a recent online presentation.

Increasingly, regulators expect to see firms enacting and enforcing rigorous cybersecurity policies and procedures, which must include training programs geared to raise awareness of potential threats and scams throughout the firm.

Kennet Westby, president of the security and compliance firm Coalfire Systems, characterizes the cybersecurity risk-assessment and training programs at many advisory firms and broker-dealers as “fairly immature,” particularly compared with those at banks and other large players in financial services.

No proponent of government overreach in the cyber arena, Westby credits the RIA industry at least with a greater awareness of the cybersecurity issues but urges firms to get more serious about implementing a sturdy set of policies and procedures, citing the framework published by the Commerce Department as a helpful starting point.

“It’s an adaptable, scalable one, so that’s often where we start,” he says.

“Regulation is not the answer. I think most organizations and most individuals understand that this should be a business issue,” Westby says.

And the stakes are quite high.

“In many cases, it’s a bet-your-business [scenario],” Westby says.

“Where in the larger organizations they may be able to manage it and weather through,” he says, smaller firms might not bounce back from the reputational hit and business disruption that a major cyber event can bring on.

“It could be the end of their practice,” Westby says.

Digital Diligence: Is Your Tech Tough Enough?

Posted by In the News No Comments

View on Financial Planning

It’s challenging to afford tech upgrades and meet compliance demands at the same time. Here’s how firms are doing the best of both.

Though John DiCiaccio loves driving, and loves muscling fast cars around a test track even more, he finds himself entranced by how his new Tesla can drive itself. Letting the car’s autopilot handle some mundane aspects of his commute, especially in maddening Los Angeles traffic, makes him a better and more alert driver.

“Technology can react quicker to stop your car than you can, especially if you are tired or distracted,” he says. “Sensors don’t get tired.”

It struck DiCiaccio, a partner and managing director at Snowden Lane Partners, that fellow advisors should note the efficiency of new self-driving cars. After all, their technology is being mirrored in wealth management, even in areas as sophisticated as compliance. Robo advice and data-driven tools are becoming the norm, and it’s becoming imperative to adopt at least some of the latest tech tools, or risk losing clients.

Even more urgently, advisors risk squandering new ways to monitor increasingly sophisticated compliance requirements. Read More