Keeping Up Your Guard
The NSA, Equifax and the SEC were all breached. Advisors of all sizes are fair game, too. Follow these measures to protect your clients’ data.
The NSA, Equifax and the SEC were all breached. Advisors are fair game, too. How to protect your clients’ data.
IF THE NSA, EQUIFAX AND THE SEC ARE ALL WITHIN cyberhackers’ crosshairs, it’s safe to assume that financial advisors are fair game for a potential breach, too.
Even firms that believe they’re too small to matter should think again. If a cyberattack happens at a firm’s outsourced CRM partner, portfolio management vendor or custodian, and clients’ personal information is compromised, where is the client going to turn first to demand an explanation?
Advisors need to act swiftly when there’s a cybersecurity breach. Doing nothing is simply not an option.
Planners can use recent headlines to reiterate their own cybersecurity policies and procedures. If news on cyberattacks prompts the firm to make internal operational or IT adjustments, explain this to clients.
For example, advisors can remind clients what to expect in firm emails. This could mean reviewing the type of information that is — and is not — shared via email. Just as advisors might be targets of a breach, they might also be impersonated for a phishing attack on their clients. Advisors should spell out the steps clients should take if they receive a suspicious email or phone call.
STAY ON TOP OF THIRD-PARTY SECURITY
While RIA custodians do a significant amount of risk assessment of their technology providers, advisors should not lean solely on custodians as a safeguard. This is especially true for vendors that fall outside of a custodian’s tech offering and as a result, may not be vetted to the same rigorous standards.
Conducting ongoing due diligence on third parties is critical. Advisors should periodically ask their vendors the following questions: Is my data stored in the U.S.? How are you encrypting data in motion, at rest and in use? What information do you pass along and is it on a need-to-know basis?
Additionally, RIAS should demand daily communication from their vendors on cybersecurity enforcement. For example, advisors should be reviewing access logs, back-up reports, change logs and system reports, as well as results of vulnerability testing and assessments.
RIAS are entrusted to manage hard-earned assets to achieve financial goals, and to protect against downside risk, and today that includes managing risk of fraud or cybertheft. This dialogue can be part of the progression of the clientadvisor relationship, and can be a differentiator for the firm.
While communicating with clients about the firm’s cybersecurity protocols, RIAS can also educate clients on how to act online to keep their information safe. Throughout these discussions, advisors can convey confidence and make suggestions without getting overly technical.
Do not wait until a breach occurs to communicate with your clients. Instead, offer cybersecurity updates as a part of the normal workflow of doing business. A word of caution here: take care not to overcommunicate on cybersecurity, either. Proactive client updates should happen throughout the year, but no more than quarterly.