[BreachExchange] Cybersecurity For Investment Advisors: Trust, But Verify
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Sep 30 13:37:32 EDT 2016
http://www.valuewalk.com/2016/09/cybersecurity-investmen-advisors/
As the use of technology in the investment industry increases, so too do
the opportunities for criminals to take advantage of that technology. In
2014, the FBI’s Internet Crime Complaint Center received 269,422 complaints
with an adjusted dollar loss of $800,492,073. Because they often hold large
amounts of assets, financial institutions can be attractive targets for
cyber criminals. In 2015, the Securities and Exchange Commission (SEC)
charged a St. Louis-based investment adviser with failure to establish
cybersecurity policies and procedures in advance of a breach that
compromised the confidential information of thousands of its clients.
Fortunately for investors that work with an investment adviser, there are
ways to greatly reduce the likelihood of becoming a victim of cybercrime.
It all starts with asking the investment adviser a few simple questions. As
Ronald Reagan used to say, “Trust, but verify.” Even investors that trust
their advisers should verify that the adviser has appropriate safeguards in
place to protect their confidential information. There is simply too much
at stake for investors to entrust their money to an adviser with lax
cybersecurity measures.
Starting a Conversation
The following questions serve as a good starting point for the conversation
investors should have with their advisers regarding the firm’s
cybersecurity measures.
1. Do you have cybersecurity policies in writing?
If an adviser does not have written cybersecurity policies, chances are
good it has not adequately assessed or prepared for the threat of
cybercrime. An investor who entrusts his or her money to an adviser without
such policies is taking an unnecessary risk. Following Reagan’s mantra of
trusting but verifying, investors should ask to see their adviser’s
cybersecurity policy and consider whether the adviser’s conduct is
consistent with it.
2. Do you have a privacy policy for clients’ confidential information?
Advisers should have a policy that governs how they will use and store
their clients’ information. In many cases, advisers are required by law to
provide their clients with a privacy statement. As with the cybersecurity
policies, investors should verify the existence of the privacy policy by
asking to see it in writing. Investors should know what their advisers will
do with their information and ensure that they are comfortable with such
practices.
3. Do you encrypt emails that contain personally identifying or
confidential information?
3. In many instances, unencrypted emails pose a risk of being viewed by
unauthorized persons. While that risk might be acceptable for some emails
(e.g. asking a friend about the weather or telling a coworker the printer
is out of paper), for many emails it is not (e.g. asking an adviser to
transfer assets between accounts). If an adviser does not use some form of
email encryption, investors should consider whether the adviser is
adequately safeguarding their confidential information. In verifying that
their advisers use encryption, investors can review past communications to
see if messages containing personally identifying information are encrypted.
4. Do you regularly back up your data?
Ideally, an adviser will regularly and automatically back up the firm’s
data to an on- and offsite location. Further, the data should be encrypted
as it is in the process of being backed up. With all the important client
data they maintain on their systems, advisers simply cannot afford to lose
confidential information by failing to back it up.
5. Do you use some form of password management?
Password management programs can reduce the risk of a client’s confidential
information being compromised due to weak or repetitive passwords. Many
advisers use web-based platforms to deliver advisory services to their
clients. These platforms often require advisers to log in with a username
and password. Some custodians, for example, allow advisers and clients to
log into their websites and execute transactions such as trades and asset
movement. An adviser with weak or repeated passwords increases the risk of
unauthorized persons accessing these platforms. Additionally, investors
should inquire as to whether an investment advisory firm centrally manages
all its employees’ passwords. Even a single employee with weak passwords
can increase the risk that a firm’s data will be compromised. Central
password management mitigates that risk by allowing firms to regularly
change passwords and requiring employees with weak passwords to change them.
Conclusion
Investors place a great amount of trust in their advisers by allowing them
to manage their assets. Despite their trust, investors should still verify
their advisers’ claims about cybersecurity. The first step in that
verification is simple and straightforward. By having a conversation and
asking for documentation, investors can ensure that their adviser
understands the risks of modern technology and has implemented appropriate
cybersecurity measures to address them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160930/e56ccc61/attachment.html>
More information about the BreachExchange
mailing list