When your vendor is hacked, doing nothing won't cut it
If the NSA, Equifax and the SEC are all within cyberhackers' crosshairs, it’s safe to assume that financial advisors are fair game for a potential breach, too.
Even firms that believe they are too small to matter should think again. If a cyberattack happens at the firm's outsourced CRM partner, portfolio management vendor or custodian, and clients' personal information is compromised, where is client going to turn first to demand an explanation?
Advisors need to act swiftly when there’s a cybersecurity breach. 'Doing nothing’ is simply not an option.
REMIND CLIENTS ABOUT CYBERSECURITY POLICIES
Advisors can use recent headlines to reiterate their own cybersecurity policies and procedures. If news on cyberattacks prompts the firm to make internal operational or IT adjustments, explain this to clients.
"Though clients do not need to be updated on every cybersecurity milestone or upgrade, advisors should know how their hired vendors are staying on top of these issues.”
For example, advisors can remind clients what to expect in firm emails. This could mean reviewing the type of information that is — and is not — shared via email. Just as advisors might be targets of a breach, they might also be impersonated for a phishing attack on their clients. Advisors should spell out the steps clients should take if they receive a suspicious email or phone call from the firm.
Additionally, RIAs may decide to ask for extra identification to validate requests for transactions via telephone. They may also begin flagging large withdrawals and following up to confirm transactions are legitimate. These changes should be communicated to clients along with a brief explanation.
STAY ON TOP OF THIRD-PARTY SECURITY
Clients expect RIAs to use technology partners that will facilitate the wealth management process and safeguard their personal information for the duration of the relationship. In turn, advisors should demonstrate that they have taken care in choosing vendors that place a premium on cybersecurity.
While RIA custodians do a significant amount risk assessment of their technology providers, advisors should not lean solely on custodians as a safeguard. This is particularly true of vendors that fall outside of a custodian's technology offering and as a result, may not be vetted to the same rigorous standards.
In the wake of cyberattacks at Equifax and EDGAR, SEC Chairman Jay Clayton makes an unusually lengthy statement appealing for RIAs to bolster security.September 21
Most advisors don’t have required safeguards in place, one expert says.September 28
Conducting ongoing due diligence on third parties is critical. Advisors should periodically ask their vendors the following questions: Is my data stored in the U.S.? How are you encrypting data in motion, at rest and in use? What information do you pass along and is it on a need-to-know basis?
Additionally, RIAs should demand daily communication from their vendors on cybersecurity enforcement. Though it may require additional work on the vendor's part, asking to see certain reports is not an uncommon request. For example, advisors should be reviewing access logs, back-up reports, change logs and SOC reports, as well as results of vulnerability testing and assessments.
Though clients do not need to be updated on every cybersecurity milestone or upgrade, advisors should know how their hired vendors are staying on top of these issues in the event of a breach or crisis.
REMIND CLIENTS TO GUARD THEIR PERSONAL INFORMATION
Wealth management is as much about information protection as it is about financial planning and asset management. RIAs are entrusted to manage hard-earned assets to achieve financial goals, and to protect against downside risk, and today that includes managing risk of fraud or cybertheft.
This dialogue can be part of the progression of the client-advisor relationship, and can be a differentiator for the firm. While communicating with clients about the firm's cybersecurity protocols, RIAs can also educate clients on how to act online to keep their information safe.
Throughout these discussions, advisors can convey confidence and make suggestions without getting overly technical or becoming their clients' IT help desk. This might mean talking about firm cybersecurity efforts and then transitioning into, "Here's some things you may want to consider..." or "How do you store and keep track of passwords? Here's what we do here..." or "No one at our firm can access your account unless they are using a firm-authorized device that is heavily protected. How do you access your account with us?"
COMMUNICATE BEFORE IT’S TOO LATE
Since hacks come without warning and can go unreported by vendors for some time, it is in RIAs' best interest to be in regular communication with their clients about their cybersecurity policies and protocols. Do not wait until a breach to communicate with your clients. By then, your message may be too little, too late.
Instead, offer cybersecurity updates as a part of the normal workflow of doing business.
A word caution here: take care not to over-communicate on cybersecurity, either. Proactive client updates should happen throughout the year, but no more than quarterly.
Given the recent headlines, RIAs should examine their cybersecurity policies and procedures to safeguard against security breaches. Most people understand that cybersecurity management is hard. What they don’t accept is complacency, especially from the firm or individual they’ve entrusted to manage their investments and family wealth.