In the wake of the Equifax hack, are you confident your clients’ data is walled off behind sufficient cyber protections?
If most advisors answered honestly, the answer would be no, says Brian Edelman, founder of cybersecurity consulting firm Financial Computer Services in Bloomfield, New Jersey.
“What we’ve noticed is, nobody does this,” Edelman says, based on his encounters with firms that have been operating without adequate cyber defenses for years.
Equifax's data breach may be the most serious, given that it covered 143 million consumers and involved reams of confidential information, but it wasn't the largest. Following are the biggest to date.
Advisors have become accustomed to outsourcing general tech support and compliance functions. But, he says, firms rarely elevate cybersecurity to the same level of importance, in terms of both budgeting and strategic planning.
Edelman’s clients, which range from single-advisor RIAs to custodians and broker-dealers, retain Financial Computer to keep an array of cyber protections functioning and up-to-date.
If the fear of hackers themselves isn’t enough to persuade advisors to shore up their cyber moats, they should realize they can be held liable if they aren’t in compliance with their own state’s so-called “safeguards” provisions, Edelman says.
“With the absence of any of them, you are putting data at risk.” says cybersecurity expert Brian Edelman.
Edelman offers the following list of basic protections that most advisors need in place to comply with each state’s rules:
1. Whole-disc encryption. If advisors lose a laptop or desktop computer through accident or theft, this feature lets them remotely lock hard discs on those machines to render the data on them irretrievable. While it’s a feature of many computer systems, Edelman encourages getting professional help. “Not that you can’t do it yourself,” he says, “but it’s just not as easy as pushing a button.” IT security companies like Symantec and Sophos sell disc encryption products. Edelman’s firm uses one by the latter called SafeGuard. But it also manages the operation of whatever product an advisor’s BD or parent company uses.
2. Secure messaging. Email encryption protects privacy both while a message is in transit and after it’s been received. “Most of the time we find that the BD or the financial institution who the BD is related to is offering it, but the advisor isn’t using it,” Edelman says. “The key is not to replace anything that’s there, but to have a full toolset.” Secure messaging is a candidate for the single most important cyber protection, in Edelman’s view.
3. Cyber monitor. This software tool watches over a computer or network and notifies users if there’s been a breach. “There are a lot of commercial products that vendors might use,” Edelman says. However, “when you get to this level of cybersecurity, the names are not as familiar,” he says. “These are typically things not purchased by a consumer. They are usually purchased through a vendor.”
4. Managed antivirus program. Computer viruses often go unnoticed; this software defends against them. Companies can take on viruses not just through email, but by misspelling a domain name and landing at the wrong website, Edelman says.
-
In the wake of cyberattacks at Equifax and EDGAR, SEC Chairman Jay Clayton makes an unusually lengthy statement appealing for RIAs to bolster security.
September 21 -
Equifax's data breach may be the most serious, given that it covered 143 million consumers and involved reams of confidential information, but it wasn't the largest. Following are the biggest to date.
September 22 -
Risk alert: The agency expects advisors to follow these steps.
August 11
5. Corporate firewall. Many firms are only using standard firewalls that are provided by their cable providers, according to Edelman. “That’s not going to cut it,” he says, when it comes to staying in compliance with regulatory safeguard provisions.
6. Multi-factor identification. By now, most people are familiar with this security tool: When you log into your email or other password-protected account, you also have to enter a code retrieved from your mobile phone to complete the process. “This is the new player in this place [although] it’s been around for a while,” Edelman says. New York State’s influential regulator, the Department of Financial Services, cites the high importance of this safeguard, he says.
These tools, which are evolving as rapidly as are hackers’ strategies, are meant to operate together, Edelman says. “With the absence of any of them,” he says, “you are putting data at risk.”
On March 1, the state of New York upgraded its own security rules. As a result, Edelman expects other states to follow suit and tighten their own, upping the ante over this issue for advisors.
Advisors tend to be most keenly aware of the value of strong cyber protections when they face a real security threat. For example, Edelman says, if you lose a laptop and can prove to regulators that it was covered by whole-disc encryption, “there’s no breach event,” or loss of control over client data for any period of time.
If an advisor can’t prove the data was protected, he or she must report the breach event to regulators, he says, and potentially suffer damaging consequences. Says Edelman, “It’s just that black-and-white.”