A few weeks ago, a St. Louis-based investment advisory firm settled charges with the Securities and Exchange Commission over allegations that it failed to implement even threadbare cyber security policies and procedures in advance of a 2013 breach of its server, which was hosted by a third party.
The attack, which investigators ultimately traced to China, resulted in the compromise of thousands of the firm’s clients’ personally identifiable information, or PII, according to the SEC.
The firm paid a $75,000 penalty, and though it did not admit or deny the SEC’s findings, the regulator’s allegations present a scenario of complete negligence on the part of the firm.
For years, the firm failed to implement firewall protections or encrypt clients’ PII. In fact, it didn’t even have a written policy in place.
While that level of carelessness is likely an anomaly, that an advisory firm was attacked is not.
Earlier this year, the SEC’s Office of Compliance Inspections and Examinations released results from last year’s cyber security exams of more than 100 broker-dealers and registered investment advisors.
Most firms—88 percent of broker-dealers and 74 percent of RIAs—said they have been subject to cyberattacks, either directly or through third-party vendors.
The SEC is set to begin a second round of exams throughout the country, focusing on now only whether firms have a security policy in place, but whether or not they are actively testing it.
And while advisors to 401(k) plans and other investors will no doubt want to stay on good terms with regulators, GJ King, President of RIA in a Box, an RIA compliance consultancy, says the SEC is the least of advisors’ concerns.
“Cyber security posses the greatest risk to RIA firms in the near and long-term picture,” said King, who recently hosted a webinar with the founders of Itegria, a provider of technology security solutions built specifically for RIAs.
“Advisors can not simply go through the motions when it comes to the threat,” King said. “Every firm’s leadership needs to make this a primary concern.”
RIA advisors to 401(k) plans may want to take even extra care. Recent reports suggest the $5-plus trillion defined contribution market is the next Holy Grail for hackers.
“These accounts often have tens or hundreds of thousands of dollars in them. Combine that with individuals who casually check balances and most of the media’s focus on cyber attacks against retailers and traditional bank accounts, and these retirement accounts are the dark horses of financial loss,” said Ben Johnson, chief security strategist for Bit9 + Carbon Black, a provider of security network solutions throughout the financial, aerospace, and defense industries, among others.
Johnson says the recent string of major compromises of some of the country’s largest retailers, banks and even government agencies means cyber criminals around the world now have a massive “treasure trove” of consumers’ personal information at their finger tips. And they are actively committed to leveraging that for further fraud.
Perhaps the most chastening reality for 401(k) advisors is that most data compromises are not disclosed, in part because many aren’t known, a reality all of the security expert sources for this story underscored.
“At the end of the day you are going to be breached—everyone agrees on that,” said Peter Martini, co-founder of iboss Cybersecurity.
It’s not just the money in 401(k) accounts hackers are after, he said, but all of those personal details that advisors and sponsors store on account holders.
“Advisors and providers to plans hold so much information on participants that hackers can steal and sell on the black market, which can then be leveraged for other attempts at fraud,” said Martini.
For the most enterprising and sophisticated of criminals, size doesn’t matter.
“Everyone is susceptible. Even more so with smaller firms, which usually have less protection, less software infrastructure, and overall, less resources. They’re often the easiest targets. Thieves go after easy targets,” warns Martini.
The good news on the cyber front is that as threats have evolved, so too have the defenses available to 401(k) advisors.
Perhaps as important: enhanced, best-in-class protections do not have to break the bank.
Cloud software innovations are allowing providers to deliver cutting-edge solutions for pennies on the dollar of the investments advisor firms are accustomed to making in security architecture.
Just a few years ago, security upgrades meant implementing costly and cumbersome servers, paying for their maintenance, and making internal investments in personal to oversee the hardware.
“What would have cost $50,000 three years ago can now be delivered for dollars per machine,” said Martini.
With the emergence of new solutions available to advisors, the question becomes one of implementing the best software protections, and just as importantly, the best policies for testing those protections.
Richard Mabbun, CEO of Itegria, the firm that specializes in solutions for RIAs, says it takes a holistic approach to determining a firm’s needs, which can very greatly, often depending on number of employees.
“The first thing we do is go in and understand what the existing policies and procedures are. From there we can figure out which solutions to deploy,” said Mabbun.
He echoed the sentiments of other security providers: advisory firms should avoid so-called check-the-box solutions simply to prove to regulators they have a security program in place.
“There’s a good amount of grey area between what SEC and state regulators require and what are best practices,” explained Julian Makas, Integria’s co-founder and chief technology officer.
What the SEC won’t do, says Makas, is endorse one type of software protection over another.
That said, the implementation of specific protections, like password management tools, which automate complex and changing passwords for each workstation on a network, can prove to regulators the level of a firm’s engagement in protecting against a threat, he said.
Regardless of a firm’s specific product and technology needs, all firms, no matter their size, must maintain and update a written Information Security Policy. Extensiveness will matter to regulators, said King, of RIA in a Box.
And all firms must show they are testing their products and controls and conducting periodic risk assessments, King added.
Also, firms need a written succession plan in place in the event of a breach.
But perhaps the most important component of a firm’s security policy is employee training, a reality echoed by all of the experts.
“Your people are your weakest link—and they are also your greatest line of defense,” said Makas.
Documented annual training should be a minimum, said King. And creating a culture where all employees are encouraged to communicate up the chain of command when they suspect something may be amiss—without the fear of repercussion—is critical.
“You see something you say something, and that starts with a firm’s culture at the top,” said King.
There will never be a way to secure a firm’s network 100 percent—not even the National Security Administration can do that, reminds King.
That makes insisting on security as a priority firm-wide not just a best practice, but a necessary one, said King.
How can you transform your risk management preparedness and response strategy into a competitive advantage? Introducing ALM's cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage. Learn more about how this inaugural event can help you reduce risk and add business value.Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.
Your access to unlimited BenefitsPRO content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking benefits news and analysis, on-site and via our newsletters and custom alerts
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the property casualty insurance and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Nick Thornton
Nick Thornton is a financial writer covering retirement and health care issues for BenefitsPRO and ALM Media. He greatly enjoys learning from the vast minds in the legal, academic, advisory and money management communities when covering the retirement space. He's also written on international marketing trends, financial institution risk management, defense and energy issues, the restaurant industry in New York City, surfing, cigars, rum, travel, and fishing. When not writing, he's pushing into some land or water.
