In the wake of the Equifax hack, are you confident your clients’ data are walled off behind sufficient cyber protections?
If most advisors answered honestly, the answer would be no, says Brian Edelman, founder of cybersecurity consulting firm Financial Computer Services in Bloomfield, New Jersey.
“What we’ve noticed is [that] nobody does this,” Edelman says, based on his encounters with firms that have been operating without adequate cyber defenses for years.
Advisors have become accustomed to outsourcing general tech support and compliance functions. But, he says, firms rarely elevate cybersecurity to the same level of importance, in terms of both budgeting and strategic planning.
Edelman’s clients, which range from single-advisor RIAs to custodians and broker/dealers, retain Financial Computer to keep an array of cyber protections functioning and up to date.
If the fear of hackers themselves isn’t enough to persuade advisors to shore up their cyber moats, they should realize they can be held liable if they aren’t in compliance with their own state’s so-called “safeguards” provisions, Edelman says.
Edelman offers the following list of basic protections that most advisors need in place to comply with each state’s rules:
1. Whole-disc encryption—If advisors lose a laptop or desktop computer through accident or theft, this feature lets them remotely lock hard discs on those machines to render the data on them irretrievable. While it’s a feature of many computer systems, Edelman encourages getting professional help. “[It’s] not that you can’t do it yourself,” he says, “but it’s just not as easy as pushing a button.” IT security companies such as Symantec and Sophos sell disc-encryption products. Edelman’s firm uses one by the latter called SafeGuard. But it also manages the operation of whatever product an advisor’s broker/dealer or parent company uses.
2. Secure messaging—E-mail encryption protects privacy both while a message is in transit and after it’s been received. “Most of the time we find that the broker/dealer, or the financial institution that the broker/dealer is related to, is offering it, but the advisor isn’t using it,” Edelman says. “The key is not to replace anything that’s there but to have a full toolset.” Secure messaging is a candidate for the single most important cyber protection, in Edelman’s view.
3. Cyber monitor—This software tool watches over a computer or network and notifies users if there’s been a breach. “There are a lot of commercial products that vendors might use,” Edelman says. However, “when you get to this level of cybersecurity, the names are not as familiar,” he says. “These are typically things not purchased by a consumer. They are usually purchased through a vendor.”
4. Managed antivirus program—Computer viruses often go unnoticed; this software defends against them. Companies can take on viruses not just through e-mail but also by misspelling a domain name and landing at the wrong website, Edelman says.
5. Corporate firewall—Many firms are only using standard firewalls that are provided by their cable providers, according to Edelman. “That’s not going to cut it,” he says, when it comes to staying in compliance with regulatory safeguard provisions.
6. Multi-factor identification—By now, most people are familiar with this security tool: When you log into your e-mail or other password-protected account, you also have to enter a code retrieved from your mobile phone to complete the process. “This is the new player in this place, [although] it’s been around for a while,” Edelman says. New York State’s influential regulator, the Department of Financial Services, cites the high importance of this safeguard, he says.
These tools, which are evolving as rapidly as are hackers’ strategies, are meant to operate together, Edelman says. “With the absence of any of them,” he says, “you are putting data at risk.”
On March 1, the State of New York upgraded its own security rules. As a result, Edelman expects other states to follow suit and tighten their own, upping the ante over this issue for advisors.
Advisors tend to be most keenly aware of the value of strong cyber protections when they face a real security threat. For example, Edelman says, if you lose a laptop and can prove to regulators that it was covered by whole-disc encryption, “there’s no breach event,” or loss of control over client data for any period of time.
If an advisor can’t prove the data weren’t protected, he or she must report the breach event to regulators, he says, and potentially suffer damaging consequences. Says Edelman, “It’s just that black and white.”
—by Ann Marsh
Ann Marsh is a senior editor and the West Coast bureau chief of Financial Planning. Follow her on Twitter at @Ann_Marsh.
