Defend Client Data from Cybercrime

With cybercrime an increasing threat to small financial firms, it’s important to have a comprehensive program for defense in place.

This Practice Management article is intended for financial advisors only (registered representatives of broker/dealers or associated persons of Registered Investment Advisors).
 

Occasionally I receive questions from clients asking where I store client information, and I’m always happy to answer them. Advisors store large amounts of sensitive personal and financial information, and clients deserve to know it’s kept safe.

I assure clients that we store their sensitive data in a responsible and effective way, with numerous backups in place. I stress that we follow best practices, storing only the personal information that is necessary for our business and never intermingling personal and work documents.

However, I do not share the full details of our cybersecurity program with clients, because that would pose a risk to our business. They understand that decision.

Witness to an Attack
An outside cyberattack on a client two years ago prompted me to get a jump on beefing up my firm’s security. I happened to be visiting this client’s office when he logged onto his computer only to discover that he was a victim of the “CryptoLocker” virus, a program that targets computers running Microsoft Windows. Once in place, the virus encrypts the individual's data and demands payment to release a key that would de-encrypt it. The panic that my client went through was awful to witness.

Although the cyberattack had nothing to do with my business, I felt I had to help him recover his data. Together, we contacted several different companies that were experts in the CryptoLocker virus. Their assessment was bleak. Because his data backup had failed, he would have to deal with the extortionists. In the end, he paid what they asked in bitcoin and his data was unlocked in two stages.

This painful experience prompted me to hire a security auditor to test my technology for weaknesses. I selected a company called Viollis Group International, a consulting, investigation and crisis management firm specializing in security solutions for the affluent community and major corporations. After what had happened to my client, I wanted a full audit of my firm to find out where my walls were thin.

This meant turning to outside professionals for my audit rather than my internal IT people. After all, you wouldn’t permit your accounting firm to audit itself.

Viollis Group analyzed my business servers to verify that data had not already been compromised. Also, it offered services that many advisors should avail themselves of, such as comprehensive vulnerability assessments and penetration to ensure they have not been breached, and to identify any future weaknesses.

An Information Security Plan

In addition to conducting these audits, Viollis Group drafted the written information security program that now guides our cybersecurity efforts. Here are some details I don’t mind sharing:

• While the firm’s chief executive, Paul Viollis, says “secured wireless” is an oxymoron, we did install advanced software to do all we could to secure communication from our office and homes and while traveling.
• We encrypt client e-mail by using Vaporstream for highly sensitive information to and from our clients. Vaporstream is an application that encrypts electronic communication in transit. Therefore, e-mails cannot be copied, printed, or forwarded, and can be read only by the intended recipient. Once read, messages are vaporized and no longer exist. We regularly test the effectiveness of cybersecurity controls, including encryption, and have developed incident response and recovery plans to deal with any unauthorized access.
• We emphasize to our staff that e-mail attachments from unknown or untrusted sources should never be opened and that links to websites should not be accessed. The same is true for known or trusted sources when the attachment and/or referral links are unexpected.
• We train employees periodically with respect to cybersecurity, and continually review company policies and procedures for protecting sensitive data on personal and corporate devices.
• One employee (who reports directly to me) is tasked with oversight of privacy and information security.
• We use two-factor authentication. Essentially, it’s a simple feature that asks for more than your password. For example, to log onto your Google account, you need to type in your password, wait for Google to send you a text message with a code, and then type that in before you could access your account on a new PC or mobile device.

Protecting Your Data
Cybercrime is a constant and growing threat, and we recognize that a financial firm may be a more attractive target than a grocery store. Accordingly, we operate with the National Institute of Standards and Technology’s five-step cybersecurity framework: identify, protect, detect, respond, and recover.

As cybersecurity becomes more of a focus of compliance exams, it is important to adhere to a comprehensive and disciplined program. Also, to ensure that all the necessary resources are available when needed, cybersecurity remains a line item in our annual operating budget, right alongside computer hardware costs.

Looking at the bigger picture, protecting your data will become easier when cybersecurity becomes more instinctive. To that end, education that begins well before its time to secure a workplace is essential. For example, the importance of using passwords should be something we teach our children, just as we instruct them not to talk to strangers and to lock the door when they leave the house. I’m considering offering a cybersecurity seminar for clients and their children to review threats and best practices to keep them safe.

Finally, protecting your data requires taking the time to stay up to date. Providers of cloud software offer a range of interesting and current whitepapers. Downloads are free, and you can get a quick sense of the major issues and learn how some of their products work. In addition, FINRA has created a “Checklist for a Small Firm's Cybersecurity” program to assist small firms in establishing a cybersecurity programs, and the SEC also provides “cybersecurity guidance.”

—by Kimberly Foss
Kimberly Foss, CFP, CPWA, is a Financial Planning columnist, and founder and president of Empyrion Wealth Management in Roseville, California, and New York. She’s also the New York Times best-selling author of Wealth by Design. Follow her on Twitter at @KimberlyFossCFP.