Keep­ing Up Your Guard

The NSA, Equifax and the SEC were all breached. Ad­vi­sors of all sizes are fair game, too. Fol­low these mea­sures to pro­tect your clients’ data.

Financial Planning - - CONTENT - By Wes Still­man

The NSA, Equifax and the SEC were all breached. Ad­vi­sors are fair game, too. How to pro­tect your clients’ data.

IF THE NSA, EQUIFAX AND THE SEC ARE ALL WITHIN cy­ber­hack­ers’ crosshairs, it’s safe to as­sume that fi­nan­cial ad­vi­sors are fair game for a po­ten­tial breach, too.

Even firms that be­lieve they’re too small to mat­ter should think again. If a cy­ber­at­tack hap­pens at a firm’s out­sourced CRM part­ner, port­fo­lio man­age­ment ven­dor or cus­to­dian, and clients’ per­sonal in­for­ma­tion is com­pro­mised, where is the client go­ing to turn first to de­mand an ex­pla­na­tion?

Ad­vi­sors need to act swiftly when there’s a cy­ber­se­cu­rity breach. Do­ing noth­ing is sim­ply not an op­tion.

Plan­ners can use re­cent head­lines to re­it­er­ate their own cy­ber­se­cu­rity poli­cies and pro­ce­dures. If news on cy­ber­at­tacks prompts the firm to make in­ter­nal op­er­a­tional or IT ad­just­ments, ex­plain this to clients.

For ex­am­ple, ad­vi­sors can re­mind clients what to ex­pect in firm emails. This could mean re­view­ing the type of in­for­ma­tion that is — and is not — shared via email. Just as ad­vi­sors might be tar­gets of a breach, they might also be im­per­son­ated for a phish­ing at­tack on their clients. Ad­vi­sors should spell out the steps clients should take if they re­ceive a sus­pi­cious email or phone call.


While RIA cus­to­di­ans do a sig­nif­i­cant amount of risk as­sess­ment of their tech­nol­ogy providers, ad­vi­sors should not lean solely on cus­to­di­ans as a safe­guard. This is es­pe­cially true for ven­dors that fall out­side of a cus­to­dian’s tech of­fer­ing and as a re­sult, may not be vet­ted to the same rig­or­ous stan­dards.

Con­duct­ing on­go­ing due dili­gence on third par­ties is crit­i­cal. Ad­vi­sors should pe­ri­od­i­cally ask their ven­dors the fol­low­ing ques­tions: Is my data stored in the U.S.? How are you en­crypt­ing data in mo­tion, at rest and in use? What in­for­ma­tion do you pass along and is it on a need-to-know ba­sis?

Ad­di­tion­ally, RIAS should de­mand daily com­mu­ni­ca­tion from their ven­dors on cy­ber­se­cu­rity en­force­ment. For ex­am­ple, ad­vi­sors should be re­view­ing ac­cess logs, back-up re­ports, change logs and sys­tem re­ports, as well as re­sults of vul­ner­a­bil­ity test­ing and as­sess­ments.

RIAS are en­trusted to man­age hard-earned as­sets to achieve fi­nan­cial goals, and to pro­tect against down­side risk, and to­day that in­cludes man­ag­ing risk of fraud or cy­bertheft. This di­a­logue can be part of the pro­gres­sion of the clien­tad­vi­sor re­la­tion­ship, and can be a dif­fer­en­tia­tor for the firm.

While com­mu­ni­cat­ing with clients about the firm’s cy­ber­se­cu­rity pro­to­cols, RIAS can also ed­u­cate clients on how to act on­line to keep their in­for­ma­tion safe. Through­out these dis­cus­sions, ad­vi­sors can con­vey con­fi­dence and make sug­ges­tions with­out get­ting overly tech­ni­cal.

Do not wait un­til a breach oc­curs to com­mu­ni­cate with your clients. In­stead, of­fer cy­ber­se­cu­rity up­dates as a part of the nor­mal work­flow of do­ing busi­ness. A word of cau­tion here: take care not to over­com­mu­ni­cate on cy­ber­se­cu­rity, ei­ther. Proac­tive client up­dates should hap­pen through­out the year, but no more than quar­terly.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.