If you’re worrying about cyber security, you’re smart.
“Hackers don’t take vacations,” reminds Sid Yenamandra, co-founder of Entreda, a cybersecurity firm specializing in the financial services industry. “You need to continuously monitor your client data security.”
Independent RIAs inadvertently expose client data because they focus on their core wealth management business – not on cybersecurity processes. This leaves them vulnerable to expensive fines, rule violations – or worse, an actual attack.
“Before most RIAs started their own business, they likely worked for a wirehouse, and had their IT department handle most of this for them,” Yenamandra says. “When they go independent, they’re not familiar with the latest tools or threats. They don’t have the time to become experts. Budgets also are a constraint.”
But consider the potential costs of a breach. A 2015 IBM/CNBC study found that data breaches cost the average U.S. company $6.5 million – not to mention the damage to business reputation. Meanwhile, the SEC fined a securities firm $75,000 last year for a contact-data breach.
20 Cyber Security Best Practices
So what can you do to safeguard client information from would-be cyber-crooks – and insure better compliance with regulatory guidelines?
- Don’t use Dropbox for client files. Dropbox is wonderfully convenient. It’s also non-secure, Yenamandra says. “Dropbox is free, and designed to share data simply. But they’ve been breached multiple times,” he says. A better way? Use secure email and/or an encrypted file server to share documents with clients. “Encrypted email can be overlaid so the client clicks a link and is prompted to enter a password to open up a document from their advisor,” says Neal Quon, a partner at QuonWarrene, a technology advice firm serving the financial industry. Share File is a more secure alternative to Dropbox, he adds.
- Avoid non-secure networks. Just as you should drop Dropbox because it’s not secure, avoid public hotspots altogether. At Starbucks, or an airport, shady individuals can steal valuable information, including credit card numbers, usernames and passwords, or online banking information – anything sent over a non-secure network. They also can set up their own hotspot hubs to “bait” unsuspecting victims. Never shop or bank online or log in to client accounts while using an unsecured network. Quon recommends advisors purchase personal VPN services such as Cloak (for Mac and iOS devices) or VPNOneClick for Android devices, or PrivateInternetAccess for PCs. For as little as $15 a month, these personal VPN services encrypt your Wi-Fi – and protect your confidential client and personal data.
- Protect your mobile devices. Anything that contains client data should be secure, Quon says. “Portable devices should be encrypted, preferably with hard-disk encryption. They should be password-protected and set up with a with time-out mode, he says. “Any 10-minute period of inactivity should lock them down in sleep mode. They should be set to erase automatically if an incorrect password or pin is entered more than 7-10 times.” At Starbucks, for instance, your laptop should lock itself down while you’re waiting in a long line for a second latte. If you don’t have an automatic time-out established, be sure to lock your laptop or portable device when leaving it in a public place. Use a security app to protect against malware and viruses. And don’t forget to use a personal VPN when using your portable device so as to make sure your browsing session is secure. As mentioned above, you should never use public WIFI on a business device.
- Secure hard drives and server. Sometimes cyber threats hide in plain sight. “I’ve been in hundreds or thousands of advisor offices,” explains Joel Bruckenstein, a financial services technology journalist, consultant, and co-chair of the T3 Conference. “A lot of them have computer desktops, laptops and servers that could be picked up and taken out. They have client data on them.” Bruckenstein says everything with client data needs to be locked up, and in the case of servers, “in a metal cage that is bolted down into the girders of the building so the server can’t be accessed and grabbed.” Don’t spend thousands on software security only to be vulnerable to old-fashioned physical theft.
- Lock up paper files and correspondence. RIAs should take the same approach with paper files as with hard drives. Keep it locked up, Bruckenstein urges. “Some FAs leave outgoing mail on a receptionist’s desk overnight. It contains sensitive client data that someone could pick up and walk out with.” Likewise, advisor offices often skimp by with inadequate file cabinet locks that can be broken open in five seconds with a screwdriver. “Physical security is often overlooked. It shouldn’t be,” Bruckenstein says. “A lot of the theft taking place in advisor office is not from Chinese hackers, but from weak physical security of the office.”
- Create stronger passwords. Though it may create more work, your passwords should not include personal identifiable, easily guessed information, such as your birth date or Social Security number. “Passwords should be a combination of letters and numbers as well as upper and lower cases,” Quon says. “And you should change passwords regularly. This minimizes the chances of a hacker getting in.”
- Use a password manager. A reasonably-priced or even free password manager like LastPass, RoboForm or 1Password lets you pick one password to manage a list of encrypted and secure passwords for each of your devices and programs. Each of these programs makes it easier for team members to remember passwords, while ensuring that sensitive data stays secure, Quon says. “Password managers insure strong passwords and force them to change regularly. Those will generate unique passwords and lock down your username credentials. You can have one set of credentials for all your software. And you just have to remember one solid password.”
- Don’t share passwords. You should not use the same passwords as your assistant, Bruckenstein says. “I’ve been in firms, fairly recently, where the advisor and assistants are all using or sharing the same password. If I’m the advisor, should my assistant have access to everything I have? And if three people share the same password and username, if you have problem, how do you know who is responsible?”
- Limit access to documents. Can everyone in your firm access your client folders? That’s a problem. “I’ve seen relatively large firms, with thousands of clients, where anybody working there can read a client’s file, print it, or copy it,” Bruckenstein says. “That’s what happened with Morgan Stanley. A junior person had access to thousands of client files, and there was no procedure to control access.” Bruckenstein advises: Only give access to people who need access to do jobs. Don’t purchase cheap software that fails to limit access.
- Require multi-factor authentication. Two-factor (multi-factor) authentication should be used whenever possible for account access. Yenamandra acknowledges that multi-factor authentication is a “pain in the neck” when people just want to access their account. It’s also necessary,” he says, adding that there often is a tradeoff between security and convenience. “In one case, in order to satisfy customer support calls, Vanguard turned off multi-factor authentication,” Yenamandra says. “They didn’t have a secret question. So for a while, until they resumed their security policy, you could provide wrong information and still access the data.” He compares cybersecurity to airport security. “It’s highly inconvenient, but ultimately a small price to pay to secure everyone.”
- Update your anti-virus and anti-spyware software. Make sure you scan regularly and keep software updated. Yenamandra’s Entreda program alerts advisors when they shut off a firewall or their firewall program is about to expire. He warns against turning off firewalls. “People do this when they download a program. But then they forget to turn on firewall and remember three months later.”
- Update software patches. Regularly update your web browser and email, Bruckenstein advises. “For a long time, a lot of firms were very hesitant to upgrade to the latest version of their email program. They were not always getting patched, and this led to vulnerabilities. Set your computers for auto updates at the end of each business day. “You should keep all security patches, software, and firmware up to date,” Quon add. “It’s the best way for your computer to stay clean because manufacturers are often aware of threats against their programs.”
- Develop consistent firm policies. You’re only as “secure” as your weakest link. Your staff needs to follow all the protocols for protecting client data. “Your biggest threat to cyber security is about behavior more than hardware or software,” Quon says. “Good security policies should always be in writing. Have employees read and affirm them. Deﬁne how your staff will access information across your systems and devices. Define which staff members should have access to which information. Restrict the most conﬁdential data to those trained and skilled in handling that information. Test your procedures and the status of your staff permissions at least once a year.”
- Educate employees. It’s not enough to just develop smart procedures. You must enforce them. “Often, there are policies in place, but they don’t get followed,” Bruckenstein says. “An employee might be using a website that they shouldn’t be using, they download a virus, which gets into the firm’s network. Or their email gets hacked, the hacker adds a code onto their email, and sends out an email to everyone in address book. If their computer gets infected and if it’s attached, so does your network.” Quon adds: “Train your team in good security practices. Insure you have security practices and policies for employees to read and afﬁrm.”
- Remind clients, too. You’re not only vulnerable from a rogue employee – but a rogue client. Hackers have been known to hack into a brokerage client’s email system, Bruckenstein says. “Your client might be using something like Yahoo or Gmail without a secure password. The hacker can scan all the emails. If they have years of email on their system, it’s not difficult to put together a picture of the client. The hacker knows the client is going on vacation to Bali, and could theoretically send an email to the advisory firm requesting a payment.” Make sure clients know not to open strange-looking emails. And remind them about the hazards of non-secured networks.
- Appoint someone to monitor cybersecurity. The average independent advisor, aged 55-65 years old, may not be tech savvy – and may not have the time. Consider appointing a tech-savvy team member to spearhead cybersecurity efforts. And it may be wise to also work with a tech firm that specializes in financial companies. These companies can assist your team with secure messaging, encryption, multi-factor authentication, secure mobile services, and firewalls. They can even monitor when someone’s trying to intrude on your network.
- Ask broker-dealer or custodian for advice. If you’re not familiar with a good tech company or have questions about best securities practices, lean on your broker-dealer and custodian. “They know a lot more about technology than the average advisor,” Bruckenstein says. These support firms may be able to recommend a knowledgeable service provider to assist you. “Most of us are in over our heads,” Bruckenstein says. “A referral goes a long ways.”
- Invest in the right tech tools. Sometimes with cybersecurity, firms are penny wise but pound foolish. There will be a cost for some of the tools and software – but it can be a very important one for your firm. “There’s always a price for technology,” Yenamandra admits. “But with more people adopting technology, we see pricing coming down. Intermediaries also are starting to subsidize products. Regulators even say, we think this is so important, we’re going to negotiate with vendors and get a group discount.”
- Establish breach protocol. What happens in event of data breach or device loss? Devise a strategy and coordinate with compliance. Plan to report compromised data, and then have a policy in place to communicate that, Quon says. “You need to address what you’re doing to mitigate that risk. Always have a device management policy, for instance. If someone walks off with one of our laptops, we can log in to our computer, and wipe out the data. That’s part of our breach protocol.”
- Conduct regular cybersecurity audits. Your firm, along with your vendors and 3rd party service providers should be conducting regular cybersecurity audits on any systems used to hold sensitive client information. Ask your vendor and service providers how they audit themselves. What type of facility is the data stored in? Is there redundancy in the system? How frequently do they back up data? Request a copy of your vendor’s cyber-security and disaster recovery plan and audit, and maintain that in your compliance folder. Also, walk your floor. Make sure all paper files and data storage equipment are secured. Make sure none of your staff have any passwords written down or hidden under the keyboard or in a drawer. “Those are risks,” Quon says. Your custodian can help you with white papers listing industry standards.
The above list may not cover all potential threats to client data – but if you’re doing each one, your risks are going to be much, much lower. And then maybe you can stop worrying!