We’re often involved in meetings where a firm’s cybersecurity measures are leaving them vulnerable to attack or it's too late and they’ve already been hacked. Wealth management’s collective gap in emphasis on cybersecurity is a big problem across industry and mid-sized/small RIAs and family offices in particular need to collectively do more to keep clients’ data safe.
The bottom line is that cybersecurity is not a passive policy. You don’t get to “set it and forget it.” It requires constant evaluation, implementation, and confirmation to stay ahead of bad actors. Fortunately, there are quite a few things business leaders can do to enforce a level of security that makes sense in this world.
Cybersecurity is Everyone’s Priority
The data that wealth management firms are trusted to keep secure is their end clients’ personally identifiable information. This is highly sensitive information like social security numbers, names and addresses, and account balances—all things that can cause someone extreme amounts of trouble if it gets into the hands of bad actors. Couple this sensitivity with the external factors of increasing frequency of cyberattacks, the post-Covid hyper-connected world of remote work locations and mobile applications, and bad actors’ use of more powerful tools and you have a perfect storm of cybersecurity challenges.
And that’s precisely why cybersecurity cannot just be left to the technology team or vendors. It’s a business concern not just a technology concern. From the CEO on down, it has to be on everyone’s radar.
In addition to protecting your clients’ lives, you’re also protecting your business from a negative reputation, legal action, and potentially going out of business. It’s also a critical issue across the entire industry. Just one breach at one vendor, like the recent Ransomware attack on Ion Group, can put the trading business at risk for millions of customers.
The Root of the Cybersecurity Problem
There are a few different reasons for this problem at play within firms. One is wealth management firms’ reliance on third-party platforms to be responsible for securing data. Some firms believe they bear no responsibility for cybersecurity because their vendors are handling it.
Another reason is that firms have extensive protocols in place on paper, but that’s as far as it goes. When the protocols are not being used or enforced they are ineffective at maintaining secure data. It’s not good enough just to have a policy saved on a Sharepoint site, firms must walk the walk and talk the talk when it comes to cybersecurity.
Finally, the human factor is the weakest leak in the whole chain. Human error leaves firms open to hacking-related breaches more than any other problem.
To address these problems, wealth management firms need to focus on people, process, and product.
People: What Employees Should Do
Let’s start with the biggest source of breaches: people themselves, through phishing attacks, malware and poor cyber hygiene, such as not having antivirus software installed on home PCs. According to the 2022 Verizon Data Breaches Report, 81% of hacking-related breaches involved using stolen passwords and/or weak passwords. In addition, Verizon says 51% of breaches involved malware with 66% of the malware installed through email phishing schemes.
Here are immediate actions to enforce for all employees:
- Password management—If you haven’t yet done so, institute and require compliance with password policies that require an 8-16 digit passphrase with special characters and numbers. Require password changes every 45-90 days (unless you’re using long complex passphrases)
- Sign on—Employ 2-factor authentication for all users wherever possible
- Personal Email Accounts— Do not use personal email accounts or text messaging to exchange sensitive information. These are unsecured platforms.
- Document management—Never send files via email, use a secure file transfer vehicle.
- Session Timeouts—Set two-hour time limits for inactively during sessions, requiring users to log in again
- Wi-Fi—Only connect to secure Wi-Fi hotspots during travel. Avoid free public Wi-Fi networks or use a VPN if you must use a public network.
Most importantly, don’t just blindly trust your employees to do the right thing, actively verify their compliance by monitoring for gaps in adherence to protocols to reduce risk.
You should also counsel your clients to secure accounts by using a different password for each account, protect their web browsing by only visiting secure sites, installing anti-virus software, cleaning cookies, and securing their home wi-fi networks.
Process: Who Protects Your Platform and How
Understand what data protections and cybersecurity protocols your vendors have in place. Define with your vendor who owns the data and passwords so that you know when you should enact policies and when they should enact policies. And, require vendors to integrate your policies when appropriate to achieve the highest levels of data security.
Your wealth management platform should be secured with:
- Cyber security products and services that provide real time analysis, monitoring, auditing, and alerting on security logs and generated by applications, hosts, and network devices
- Data encryption, both at rest and in transit
- Geo-tagged access management that only allows access from approved geographical locations
Additionally, educate advisors and clients on the importance of cybersecurity and why they can’t send sensitive information through email or text. Train staff continually on email phishing schemes and alert employees when new schemes emerge or are found on company systems.
Ensure adoption of the tools by confirming that all employees know how to use the cybersecurity features on the platform and that their use is enforced. Remember, protocols need to have "teeth" to be valuable. Having protocols that are widely flouted diminishes the value of the protocol.
Product: Technology Tools that Support Cybersecurity
We often advise firms on their investments of technology for security. One thing we recommend in addition to the protocols and tools listed above are secure messaging tools that take conversations off of unsecure email and texting platforms.
Another big thing we recommend is user behavioral pattern detention. It can be hard to tell if you’ve been breached because once a client password is compromised and a bad actor logs in with it they don’t raise an instant red flag. One way to address this is to analyze behavioral activities and look for anomalies, for example someone who doesn’t log in on weekends suddenly logging in on a Sunday.
Be vigilant. Always run your cybersecurity tools all of the time, not just when you think something might be wrong.
Cybersecurity is Ongoing
Get in the mindset that you need to do more than one thing to protect the firm. Don’t just lock the front door and forget about the windows, back door, or chimney. Continuously look at all angles of storing and sharing your data and implement better and advanced forensic tools as they become available.
Need help knowing where you have cybersecurity gaps, get in touch for guidance on the latest tools and best practices.