Wealth management companies are collecting more data about clients than ever before, intending to transform how advisors serve clients.
But in the wake of the BlackRock’s massive data leak, questions arise about how well financial services firms are securing sensitive data. With the responsibility of securing client data resting on RIAs, navigating a complex world of increasingly complicated partnerships between firms can be tricky for advisors as breaches come with crippling consequences.
In BlackRock’s leak though, advisors found themselves exposed. The fund giant inadvertently released information on thousands of financial advisors, including names and email addresses of advisors who buy its ETFs on behalf of customers. LPL Financial was hit the hardest by the leak with 12,000 of its advisors affected. Envestnet —
Data breaches hit a record
SEC Chairman Jay Clayton committed to increasing advisor reviews to respond to media and Congressional criticism that the agency needs to enhance industry supervision, adding cybersecurity will remain a top concern.
“Cybersecurity protection is critical to the operation of the financial markets,” the agency wrote in a its
Regulators are also handing out penalties for cyber oversight missteps.
RIAs need to start with the data, says Heidi Shey, principal analyst with Forrester.
“Understanding the value of data to the business and how sensitive data needs to be handled can go a long way towards building a stronger culture of data security across the company,” she says.
Elevating data awareness among the workforce can help people make better decisions about data use and handling, Shey adds. “Ask who needs access to this data and why. Limit access to those who need it to do their job, and determine the appropriate handling and protection for this data to fulfill those needs and other necessary requirements.”
For BlackRock, the problem began when an employee tried to post sales-related information to an internal CRM-related system, according to the firm, but posted it on
The spreadsheets also showed the amount of assets each advisor managed in iShares ETFs. For example, one spreadsheet categorized advisors as “dabblers” or “power users,” apparently in reference to how much of the firm’s ETFs the advisors uses on behalf of retail clients. One column noted their “Club Level” including the “Patriots Club” or “Directors Club,” according to Bloomberg, which reviewed the spreadsheets.
“Advisors are going to want to know how BlackRock is fixing this and what might still be potentially out there and at risk,” says Wes Stillman, CEO of the cloud-based cybersecurity firm RightSize Solutions.
“The inadvertent postings occurred due to human error,” a BlackRock spokeswoman says. “There was no security breach and no compromise of BlackRock systems.
“The information was industry-standard, CRM in nature, and was used by our sales teams in service of those advisors,” says the BlackRock spokeswoman. “No information about financial advisors’ end clients was included. And no sensitive personal or financial information about advisors or anyone else was included.”
The world’s largest asset manager says it determined the issue is limited in scope, after performing multiple systematic reviews of the hundreds of thousands of web pages and reports on its website, according to the spokeswoman.
“This breach is relatively minor in scale compared to some of those that have hit headlines,” says Julie Conroy, research director at Aite Group. “But certainly no less damaging to BlackRock’s relationship with its advisors.”
Although the data is mostly publicly available on FINRA BrokerCheck records, the leak may still be potentially harmful. The advisors impacted will be at heightened risk of spear phishing attacks, since their names, email addresses and employers are now likely for sale on the dark web, Conroy says.
To its credit, BlackRock has taken all the right steps to remedy the situation, says Conroy. Too often firms prolong their time in the headlines by eking out information, or poorly handling remediation to affected parties, which only prolongs the time they are in the negative spotlight, she says.
“Any important thing to do post-breach is to make sure to acknowledge the full scope of the breach, apologize, and deploy controls to ensure it doesn’t happen again,” Conroy says.
Third-party vendors are also a worry for RIAs that use outsourced products, says Stillman. “The data is not in a server in a closet somewhere like it used to be,” Stillman says.
Even if they don’t understand the technology entirely, RIAs still need to trust their gut, Stillman advises. “Advisors have to depend on a third-party vendor meaning due diligence becomes absolutely critical. If the risk level is too high, advisors have to walk away.”