Our Wired World

Making Your Online World Safe

How would a cyber-attack affect your practice?

by Adi Garg

Mr. Garg is Chief Technology Officer at Allworth Financial. Visit www.allworthfinancial.com

Advisors operating their own wealth management firms want to provide the best possible service for their clients. Now, more than ever, this necessitates protecting clients’ data. Unfortunately, cybersecurity is also one of the areas that is most often overlooked. While 74% of financial institutions experienced a significant increase in cyber risk, only 30% of company executives believe they are providing adequate cyber support. This is especially true for smaller organizations that do not usually have the resources and whose owners are responsible for operating the business in addition to their core capacities as financial advisors.

All businesses are vulnerable to cyberattacks and financial services providers must recognize that cybersecurity is particularly critical to their industry. Financial planning is a profession built on trust, and a cyberattack could be catastrophic to an advisory business. Additionally, many of the financial planning activities that traditionally took place at an in-person office setting have migrated online, even more so in the past two years because of the COVID-19 pandemic. While some advisors are beginning to resume in-person meetings with clients, many have retained or gained new clientele across geographical regions. Many wealth management employees are continuing to work from home, increasing risk exposure. When all employees are centered in one office, hackers have one service provider and a single firewall to bypass. If 10 employees are working from 10 separate locations, hackers have 10 points of entry, which are each potentially more vulnerable than one centralized office server that implements a robust cybersecurity strategy.

Although capabilities exist to detect breaches quicker than ever before, attackers are getting bolder, faster and more sophisticated, making use of artificial intelligence and bots to execute their attacks. Incidents have become more frequent, personalized and targeted, increasing the chance that your firm’s network could be compromised. To ensure the protection of your clients and your business, it is becoming more vital than ever for firms to establish sound cybersecurity strategies and learn how to mitigate risk.

Cybersecurity Risks Have Only Increased For The modern RIA

The first step to mitigating cyber risk is to understand that your business is a target. Advisors should assume there is a certain level of risk and take steps to reduce that risk for the benefit of partners, clients and the firm. By having protocols in place, it’s possible for firms to avoid some of the most common cybersecurity attacks.

Some of the most common illegal actions that occur include malware, phishing, compromised devices and ransomware. Most often, these scenarios occur through a lack of awareness or mismanagement of employee credentials, a stolen laptop, an insecure password or clicking on a malicious link. These attempts are also growing more sophisticated and frequent by the day, as hackers take advantage of the latest technologies. The RIA sector is seeing an increase in phishing attempts from artificial intelligence and bots, which can target employees in clusters and personalize messages more precisely than ever. Instead of a generic message blasted to thousands of people at once, it is more probable that someone receives a phony email addressed by name posing as the CEO of the organization asking for a favor, for instance. Foreign attacks are another major concern afflicting RIAs today.

Consequences Of Neglecting Cyber-Security

One of the most tangible ramifications of neglecting cybersecurity is financial loss. According to The Sophos State of Ransomware 2021 report, the average ransom paid by mid-sized organizations was more than $170,000. However, on average, only 65% of the encrypted data was restored after the ransom was paid. Additionally, fines for cybersecurity violations can be steep, which can cause smaller businesses to go bankrupt. Beyond fines, regulators and clients alike may have cause to sue a financial services provider. While larger firms are most vulnerable due to their visibility, make no mistake—the smaller RIAs are also consistent targets for bad actors.

The liability can create a situation disruptive to conducting business. A disclosure event in which every client is informed that there is a breach could likely result in clients losing trust in your business and walking away. In the age of social media, news spreads quickly and your business may not be able to recover. Additionally, if your systems are shut down by ransomware on a prominent trading day and clients are unable to reach you, they have cause for legal action for not maintaining continuity. In the longer term, a data breach can damage your firm’s reputation, making it potentially more challenging to plan for succession or sell the firm. Most buyers would not want to be associated with an organization involved in a data breach.

Steps Advisors Can Take To Protect Client Data

Phishing is a common social engineering attack used to steal user data, including login credentials and financial information. It occurs when an attacker sends a fraudulent message, often while posing as a trusted individual within the organization...

From building a cybersecurity strategy to enforcing technology protocol within a firm, there are a variety of ways that financial advisors can mitigate cyber risk. In addition to a broader suite of integration and better general technology intersection in general, Allworth focuses on prevention, detection, mitigation and recovery.

Small organizations don’t necessarily need to integrate with a larger firm or hire a full-time specialist to improve your cybersecurity. If neither of these solutions is appropriate for your organization, contract a third-party cybersecurity firm to provide an assessment of the firm’s networks. Some of the preventative measures security firms take include penetration and vulnerability tests, in which a simulated bad actor will attempt to break in. They can also provide broader assessments to ensure that your network is set up correctly and can work with your IP provider to harden your infrastructure through encryption, firewalls, VPN and segregated guest WiFi, among other measures.

Additionally, every firm, regardless of resources or size, can take the following three measures internally to mitigate breaches:

  • Phishing awareness training and testing
    Phishing is a common social engineering attack used to steal user data, including login credentials and financial information. It occurs when an attacker sends a fraudulent message, often while posing as a trusted individual within the organization. Conducting simulated attacks and regular cybersecurity trainings is fundamental to ensuring your staff remains vigilant while using the company’s network and avoids clicking on any unknown links.
  • Safeguarding credentials
    Protecting your organization’s credentials is key to cyber risk prevention. All members within the organization should use strong, complex passwords that are exclusively used to log into that network. Reusing passwords from other websites can expose credentials to theft. An additional, but extremely helpful measure is to set up multi-factor authentication, which requires a user to provide two or more forms of authentication to gain access to a network.
  • Mobile device management
     Most people are a little more protective of their computers than their phones. However, it is becoming more and more common for clients to contact advisors through their mobile devices via email, text message and phone call. For this reason, it is critical to keep all devices used for work updated, free of junk apps and sensitive to client information. Otherwise, malicious software may just enter your organization through your phone or tablet.

How Is Cyber-Security’s Mission Shifting In 2022 And Beyond?

This year, advisors are looking to improve their cyber protocol to develop trust and accelerate business, which intersects with the record level M&A activity that is projected to continue through 2022. In general, the industry is turning towards making security more usable and accessible, with a focus on balancing functionality with security. The reality is that businesses need technology to operate, which creates demand for security staff. These specialists help businesses determine the level of risk that is acceptable for a specific firm, and in general, RIAs are best-served by having a very conservative risk-level.

There are also some positive trends emerging to help guide cybersecurity professionals in the wealth management space. Accompanying the increased cyber risks is an escalating number of regulatory requirements. Privacy regulations are becoming quite prescriptive and, in some cases, create situations where third parties and governments can sue for violations, so it is becoming even more important to remain compliant. Regulations are also becoming more comprehensive. For example, tax practices must comply with regulations in every state that they serve clients in. An additional trend that’s gaining momentum across all sectors is dark web monitoring, which allows cybersecurity professionals to keep track of sensitive information being shared across networks normally inaccessible to the public and to provide an additional layer of security assurance.

It takes time to implement training programs and to achieve the level of technological sophistication that a strong cybersecurity protocol entails. Given the changing cybersecurity landscape and the trust-based nature of the wealth management industry, now is the perfect time for all firms to begin integrating a strong and comprehensive cybersecurity strategy.