Results of Arizent’s latest cybersecurity survey of financial services business leaders revealed that “Wealth Managers have fallen behind other financial firms in shoring up their cybersecurity.”
Wealth managers have thus far reported a lower rate of incidents than firms from other areas of financial services. However, attacks and breaches in that sector are growing quickly, according to experts who say advisors and firms shouldn’t wait for client information to be compromised to take basic steps that banks and insurers have already adopted much more widely.
Only 21% conduct so-called white hat exercises in which their own team or an outside consultant attempts to hack into the infrastructure. A little more than a quarter, 28%, cut off access when they’re making patches in their systems, and just 34% periodically rehearse what they would do in the event of a breach. Wealth managers report much lower rates of adoption than professionals from other financial industries in all three categories.
Subsequent to the findings, Brian Edelman, FCI CEO & Cybersecurity Expert was interviewed by Financial Planning to discuss recommendations for cybersecurity safeguards for wealth managers and advisory practices.
First and foremost, firms should put a cybersecurity program into place, in which, policies & procedures are well defined and technical safeguards are evidenced. An Incident Response Plan (IRP) is a critical component of your cyber program and should be tested regularly along with execution of an annual Security Risk Assessment.
Advisory and wealth firms often embrace the myth that, because they tend to be smaller firms in practices dispersed throughout the country, they’re less likely to be targeted, according to Brian Edelman, CEO of FCI, a managed security service provider to financial companies. Employees at such firms can fall into common traps such as forgetting to put security measures back in place after loosening them temporarily for any reason, Edelman said.
Beyond increased cyber threats, Wealth Managers have further incentive to adopt cybersecurity safeguards given the SEC enforcement action in August 2021 in which 8 firms were sanctioned for deficient cybersecurity practices that led to exposure of client private data. And, in February 2022, the SEC proposed new rules that will hold RIAs and Funds responsible for adherence to cybersecurity risk management standards and public disclosure requirements.
“The authorities will accuse the advisor of being the bad actor first,” said Edelman, noting that it can become very helpful for firms that show evidence of their safeguards in writing. If not, he added, “You’re not only going to be a victim of the bad actor, but you’re going to be a victim of the system. We call that double victimization. Wealth managers who take the necessary steps to protect their clients, advisors and employees and document them fully could get ahead of the threats of attack and the risk of costly enforcement actions” said FCI’s Edelman.