By Susan Barlyn
(Reuters) - Financial advisory firms are so busy trying to prevent computer hacking that they sometimes neglect an equally vital issue: what to do when hackers succeed.
The Financial Industry Regulatory Authority (FINRA), Wall Street's self-funded watchdog, in a February report faulted some firms for having shoddy security policies, including their responses after cyber attacks.
In one case, a firm ignored or missed computer-generated alerts warning of a successful cyber attack. The management woke up only when the hackers attempted to extort money, according to the report.
A firm's response to a breach is as important as trying to prevent one, compliance experts say. Their warnings come as FINRA and the U.S. Securities and Exchange Commission make computer-security preparedness a priority for their examiners to review when they visit firms this year.
Firms must have emergency response plans in place for cyber attacks, just as they would for other business disruptions, such as a fire, compliance experts say. While the largest brokerages typically have manpower to respond to crises, smaller firms often rely on outside professionals.
Wade Chessman, president of Chessman Wealth Strategies Inc in Dallas, subscribes to a service that monitors his systems for viruses. A local company also services his computers.
They would be his first lines of defense to hacking, a response that would likely mirror that of other small firms. "I'd probably scream like a little girl and call them," Chessman said.
A general plan and swift action may appease regulators, but technology experts suggest fine-tuning.
Small advisory firms that rely on large companies, such as Charles Schwab Corp, to hold clients' assets, should not assume they are immune to hackers. These advisers have other data on their networks that hackers want, such as clients’ personal information and emails, said Raj Bakhru, a partner at ACA Aponix, a cyber security firm.
Another common mistake by cyber attack victims is to shut down the computer and reformat the hard drive to wipe out viruses. But that destroys vital information that cyber forensic analysts need to determine whether hackers made off with client data, Bakhru said.
Instead, advisers should first call a forensics firm. Advisers with a thorough response plan retain those companies in advance, said Brian Lozada, information security director for Abacus Group LLC, a technology firm supporting hedge and private equity funds.
A lawyer who can navigate state and federal laws on when a firm must notify clients of a breach is also critical. Running afoul of these laws can trigger civil and even criminal penalties. In New York, for example, consequences could include a $150,000 fine, said Michael Yaeger, a New York lawyer who advises firms on cyber security issues.
The burgeoning cyber industry even offers cyber insurance, which can help firms offset the tab for those services and also defray expenses for notifying clients and providing credit-monitoring services. Some policies even cover the cost of one very specific expertise required by firms after hackers have made off with a motherlode of client data: a public relations consultant.