Article and interview with Brian Edelman, Financial Computer CEO. Link to the article: TDA4advisors Blog.
By Bryan Baas, Managing Director, Institutional Oversight and Control, TD Ameritrade Institutional
You’ve seen it before. You just received an email from someone in Iberia, claiming they received an inheritance and they need to wire it to you immediately. They just need your account information. Right away, you know this is a scam, but would you if you hadn’t heard the tale before?
Within the financial sector, wire requests like these are common and often more subtle. As advisors, it’s not always easy to differentiate a client from a hacker, especially when you’re conducting business online.
Safeguarding Against Cyberattacks Image 1According to the Investment Advisor Association, the single biggest threat to advisors is account takeover. In fact, 53% of financial exchanges experienced a threat in 2013, according to the Securities and Exchange Commission (SEC).¹
Email hijacking, wire fraud, identity theft, phishing, malware, etc.—they all pose an ever-increasing threat to you, your firm, and your clients. At National LINC 2015, Brian Edelman, CEO of Financial Computer Services, urged attendees to turn cybersecurity into opportunity. “When we educate the people around us, we can protect ourselves.” It takes just one person, one incident, to infect an entire company.
Use these best practices to help create a defense against cyberattacks:
Educate Your Staff (and, in turn, your clients)
A new Financial Industry Regulatory Authority (FINRA) report on cybersecurity practices stresses the importance of employee training, noting that most attacks resulted from employees “inadvertently downloading malware or responding to a phishing attack.”²
According to Edelman, equipping your staff with knowledge is one of the most important things we can do. The more training they have, the better they can protect your clients’ wealth—from basics like knowing the firm’s cybersecurity policy and who the security officer is, to why using secure email and password management help safeguard client account information.
Implement the Right Tools
In a 2014 survey by the North American Securities Administrators Association (NASAA), 92% of the 440 firms surveyed said they use email with clients but only 50% use secure email.³ Safeguarding Against Cyberattacks Image 2Simple actions you can implement today, such as setting up secure email and installing antivirus software, will have a lasting effect and ultimately can protect your most valuable asset—your clients’ trust in your firm. Plus, there’s little to no cost involved to implement. Work with the individual who manages your IT to ensure you have a managed firewall, full-disk encryption, two-factor authentication, and a password manager.
Assign an Information Security Officer (ISO), preferably a senior manager, to serve as the point of contact and create an incident response plan. Determine what steps are needed when a computer is compromised, equipment is lost, log in attempts have failed, or data is being copied to an unsecure location. Having a plan in place ahead of time will save time, money, and your reputation.
Begin a dialogue with your clients regarding cybersecurity and how you approach it within your firm. Engaging your clients in the conversation helps them feel safe, and you’ll be able to use this knowledge to leverage new clients.
Be Prepared for Your Audit (it will come)
Know your current policy and make sure it’s documented, or you could get fined. And, it can be costly according to Susan Boudrot, Chief Compliance Officer at TD Ameritrade. Certain entities have incurred significant six-figure penalties from regulators for failure to prevent cybersecurity breaches.
To help, the SEC Office of Compliance Inspections and Examinations has created a list of questions for advisors to ask themselves when assessing their firm’s cybersecurity compliance. Some of the questions include:
• Do you have organizational structure and reporting lines?
• What is your approach to information technology risk assessments?
• Do you have processes for obtaining and sharing information with other firms?
• Do you have insurance coverage?
• What third parties have access to your systems?
As daily business operations rely more heavily on multiple tiers of technology, the vulnerabilities of your systems only increase. The sooner you can put a plan in place and the more familiar you become with ways to safeguard and implement best practices, the more you can reduce your risk. Safeguarding your security could be the most important business decision you make.
For additional advice on protecting your clients’ information, check out my earlier blog post One Simple Step You Can Take to Prevent Email Fraud to understand ways to help keep your firm and your clients safe from fraudulent wire transfers.
1 U.S. Securities and Exchange Commission, The Commission’s Role in Addressing the Growing Cyber-Threat, March 6, 2014.
2 The Financial Industry Regulatory Authority (FINRA) Report on Cybersecurity Practices, Feb. 2015.
3 North American Securities Administrators Association (ASAA), Survey of Cybersecurity Practices of Small and Mid-Sized Investment Adviser Firms, Sept. 2014.