The data breach that hit Target late last year caused a flurry of concern over cyber security at institutions that hold client and customer information. But large companies such as Target may actually be better off than registered investment advisors—most of whom are small business owners, speakers at an SEC panel alluded to on Wednesday.
“I think the risks to IAs, in particular, is kind of scary because one data breach could bring down an IA, I think very quickly because of the kind of notifications and the kind of relationships they have with their clients, and the integrity,” said John Reed Stark, managing director at cyber security firm Stroz Friedberg. “There’s really a direct correlation, as opposed to a retail data breach, where you may still shop there afterwards. But if you’re money is in custody of someone and they’re handling your wealth and suddenly it’s at risk, you might feel differently.”
Eighty-eight percent of SEC-registered investment advisors have 50 of fewer employees, while 58 percent of them have 10 or fewer employees, said David G. Tittsworth, executive director and executive vice president of the Investment Adviser Association.
“Typically those smaller firms don’t have the resources the larger firms have,” Tittsworth said, during the panel.
Some of IAA’s larger members, particularly on the institutional side, are members of the Financial Services Information Sharing and Analysis Center, which shares threat intelligence among its members, Tittsworth said. These larger firms are cooperating with other big players in the industry and government, having robust dialogues about cyber threats and what to do about it.
“These smaller firms—there’s nothing that is equivalent to that,” he added. “I think we need to do more.”
Finding the personnel to handle security breaches is particularly difficult—even for larger firms, Stroz Friedberg’s Stark said. There are no incident response schools you can turn to for recruits, and there are only a few master’s programs on the subject.
“It’s a new breed of professional, and there’s a huge shortage among them,” he said. “So to expect an IA to have some sort of incident response infrastructure in place with personnel is a big expectation, even if they want to.”
One emerging threat, Stark pointed out, are the more stealth cyber attacks, where intruders aren’t leaving any evidence that they were there. This type of attack will be new territory for investment advisors and broker/dealers. They’re looking intellectual property, inside information, or identities of people to use in other ways than just financial.
“Picture it this way: You come home, and you think your house has been robbed; and nothing is out of place and nothing’s missing,” Stark said. “This is what a lot of these attacks are like.”