Cyber theft is the fastest-growing crime in the U.S., and cost the global economy more than $450 billion in 2016, with more than 2 billion person records stolen.
By 2021, cyber crime damage costs could hit $6 trillion annually, according to a report by Cybersecurity Ventures.
And companies are experiencing larger breaches, reported IBM. The average size of data breaches increased 1.8 percent in 2017 to more than 24,000 records, according to its 2017 cost of data breach study.
Financial advisors are increasingly aware of this threat, with 81 percent saying cybersecurity is a high priority. Yet, just 29 percent say they are “fully prepared to manage and mitigate the risks associated with cybersecurity,” according to a study released last September by the Financial Planning Association’s Research and Practice Institute.
However, just in the past year, advisors have been upping their security, said Dan Skiles, president of Shareholders Service Group and a past national board member of the FPA. Not only because of what they’ve seen in the news, but also because some large firms have taken hits and witnessed fraud attempts firsthand.
“The first thing I remind advisors is that … everybody is on the playing field,” Skiles said. “There’s no spectators in this game, so an advisor cannot be sitting there thinking ‘well I’m glad my IT firm is on this’ or ‘I hope my technology expert is taking care of this,’ because the reality is these cyber security attacks can happen to anybody within the firm.”
The difficult part about cybersecurity is that the process matters more than the technology, Skiles said.
“Advisors can spend thousands of dollars on great technology infrastructure … but if one of their associates doesn’t follow the rules … and they inadvertently click on a defective link, or they inadvertently respond to a fraudulent email, there’s no tech spin that’s going to protect you from that.”
Staff training and technology go hand in hand in fighting off hackers, he said. Yet about one-third of employees aren’t receiving any training related to cybersecurity, the FPA study found. And for the employees that do get trained, the average team member receives less than two hours of training per year.
Another important security measure to implement is keeping systems updated, Skiles said.
“The bad guys use old software to get in,” he said. “They really focused on computers that were not updated, and they used those previous discovered holes to get in.”
Many employees ignore update requests or expect someone else to do it for them. However, if an overdue update is ignored for too long, hackers can get in. Instead, systems should be regularly updated.
Also, attention should be paid as to how data is actually stored on these systems, said Ben Mathis, chief information officer at Carson Wealth Management.
Client information should be protected by a strong password that is regularly changed, and sensitive information encrypted and backed up.
Skiles of Shareholders Service Group said advisors should use outside consultants and technology companies to ensure they have the best systems installed.
“Is one the firm simply purchased at its local technology store, or did it work with an IT provider to purchase one that has a little more horsepower behind it, a little bit more security protection, designed for a business?” he asked.
Another easy rule to follow is to never make a transaction on a client’s behalf based on an email. Email can easily be hacked. Instead, phone clients to confirm their instructions.
If a security breach does occur and information is compromised, an advisor is responsible for properly notifying all affected clients, as well as those who could possibly be at risk, said Mathis at Carson Wealth Management.
The advisor could face liability issues, as well as potential reputation risks due to an incident, he added. Policies and procedures to ensure proper handling of such incidents should be in place.
Overall, a financial advisor can never be “finished” with cybersecurity.
“This is an ongoing battle,” Shareholders’ Skiles said. “Cybersecurity is not something that you can say ‘OK, we’ve taken care of that, and now we can move on’.”
For their part, clients should be having meaningful communication with their advisors about cybersecurity. They should ask how and where their advisor stores data, how it is protected, which systems are being used and whether they can review the advisor’s information security policy.
However, to have meaningful conversations with advisors, clients also must see cybersecurity as a top priority. Although the FPA survey found that advisors think only 11 percent of their clients are “very aware” of the general risks associated with cybersecurity, both Mathis and Skiles said clients are becoming increasingly concerned with the issue.
“We are hearing from more and more clients asking questions about the provisions that we have in place to protect their information,” Mathis said. “The coverage that recent breaches have received in the press has helped to raise awareness with clients.”
Bottom line: The sophistication and frequency of the cyber-attack attempts that firms have seen continues to grow, Mathis said. Educating both advisors and clients about the risks and methods that attackers are using is one of the most effective ways to prevent a breach.