Cybersecurity risks continue to be a growing threat to RIAs and other advisory firms, and good technology alone isn’t enough for them to combat and overcome the problem, cyber experts say in a new report released Tuesday. Its four sections cover background information for CEOs, how cybercriminals attack, foundational cybersecurity defenses and detailed additional protocols.
The report aims “to help wealth management firm CEOs better understand their organizations’ risks and obligations and the exact steps they must take to protect themselves.” The report’s recommendations were designed to be “starting points that should be independently considered to determine if they are appropriate for a specific firm at a specific time.”
Cybercrime will soon be a $10.5 trillion annual business, experts including Brian Hamburger, President and CEO of MarketCounsel Consulting, and Mark Hurley, CEO of Digital Privacy & Protection (DPP), project in the whitepaper, “Confronting the Realities of Cyber Threats.”
Other authors include Carmine Cicalese, President of Cyber CIC and Senior Partner at DPP; Daniel Bernstein, Chief Regulatory Counsel at MarketCounsel; Bryce Washum, Senior Partner at DPP; Douglas Garbutt, Partner-in-Charge of Implementation at DPP; and Katherine Winford, Shareholder and Director of Operations at DPP.
Financial services industry participants and their clients make for “compelling targets,” the report says, pointing to the many firms that have “already been attacked,” resulting in millions of dollars of client assets being stolen.
On top of that, the SEC and various state regulators have made it clear – through proposed regulations, examinations and risk alerts – that they expect participating industry firms to have cybersecurity protections in place.
It is expected that “new regulations will require wealth managers to adopt cybersecurity policies and procedures that are ‘adequate’ and that they must ‘effectively certify’” them, the report says. Should the policies and procedures adopted by industry firms turn out to be “inadequate,” they might face an SEC enforcement action, the report warns.
The whitepaper continues: “Unfortunately, as reflected in several industry surveys, to date most participants have largely ignored cybersecurity.” Similarly, WSR reported last month that progress in security still lags behind the evolution of threats.
While an “effective program for most firms is neither complicated nor expensive, more than a few readers likely will be surprised by the scope and number of measures required to adequately address these threats,” the report points out.
The authors predict: “Over time, the SEC will develop its own views and policies as to what constitutes industry ‘best practices.’ And while the Commission may struggle to keep pace with rapidly evolving cybersecurity threats, wealth managers will nonetheless have to be responsive to change.”
‘Foolish Notions’
The report’s authors also sought to “dispel upfront two foolish notions about cybersecurity that widely permeate the industry.”
The first foolish notion that many industry executives and owners believe is that cyber threats “can largely be addressed by acquiring the right technology,” the report says.
“It is almost always the intersection of humans and technology that creates the best opportunities to penetrate cyber defenses.”
Although good technology is a “precondition to effective cybersecurity,” the report says: “This assumption ignores that it is almost always the intersection of humans and technology that creates the best opportunities to penetrate cyber defenses, regardless of the technology employed. And the success of any cybersecurity program depends heavily on the behavior of individual stakeholders.”
The second foolish notion is that many industry executives feel it is inappropriate to get involved in either their clients’ or employees’ personal cybersecurity.
However, the whitepaper says: “This notion is analogous to a pig believing that it is inappropriate for it to get ‘involved’ in a ham and egg breakfast. Just as it is the farmer and not the pig who makes that decision, cybercriminals have stripped wealth managers of the option of disregarding personal cybersecurity.”
The Remote Employee Threat
The easiest way to breach “any firm is through its clients and its employees working away from the office,” the report goes on to say.
The easiest way to breach “any firm is through its clients and its employees working away from the office.”
It pointed to a recent study that found a whopping 82% of all financial services firm breaches were “initiated through employees working remotely.”
The report warned: “Any strategy that does not proactively address the personal cybersecurity of both clients and remote working employees will be ineffective at best.”
Jeff Berman, Contributing Editor & Reporter at Wealth Solutions Report, can be reached at jberman@wealthsolutionsreport.com.
