The recent regulatory sweeps around cyber security by the Securities and Exchange Commission and FINRA are starting to hit financial advisors, and many, especially smaller practices, are not prepared for it.
On June 10, Donald J. Kalil, president of Wilmington, Del.-based Affinity Wealth Management, which has about $300 million in assets, received the SEC’s seven-page questionnaire seeking information about his firm’s cyber security procedures. He had two weeks to complete it.
“I dropped everything,” he said. “It looks like it’s for large organizations, cause I can’t imagine a small organization being able to address all the issues that they’re asking for.”
For example, one question asked how often he checks for attacks on their system and how they document them. Kalil said they check weekly, but they didn’t keep a record of the attacks. He does now. In fact, Kalil had to bring in an internet technician to help secure their systems, and also help answer the questionnaire.
But many advisors may not have the resources in-house to meet regulators’ expectations. And securing their systems is going to require outside help and a hefty investment.
“It’s just way too much for a typical advisor to handle,” Kalil said.
“The typical IA is going to have one or two IT people, and that questionnaire is essentially one that even a giant b/d conglomerate would have trouble relating to,” said John Reed Stark, managing director at cyber security firm Stroz Friedberg and former Internet enforcement at the SEC.
The questionnaire went out to around 50 b/ds and RIAs, the SEC said, but Stark doesn’t believe it’s simply a request for information to get an idea for what advisors are doing. SEC staff members told Stark that the preliminary results of the sweep were poor, in his recent conversations with them.
“They’re not just going to sit on a bunch of poor responses and say, ‘OK, isn’t that interesting?’” Stark said. “They’re either going to bring enforcement cases, or they’re going to do rulemaking. And I don’t see how you can do rulemaking in this space because technology is ever-changing.”
The Cost
The typical 50-60 person firm with two locations can expect to spend a couple hundred thousand dollars to secure their systems, Stark said.
But the costs associated with a data breach could be even greater. It could run $200 per compromised record to recover from a data breach, said Neal O’Farrell, CEO of Privide, which provides automated monitoring, security tools and personal consultancy. So if you’ve got 5,000 client records, that’s $1 million.
“Everyone is going to have to step up their game here and bring in someone from the outside to help secure their systems better than they are right now, and I don’t think individual advisors can do that on their own,” Kalil said. “So bottom line is, they’re going to have to pay up for additional security. That’s a given.”
Kalil’s firm decided to purchase cyber security insurance because the SEC asked whether they maintained it in the questionnaire. He received quotes for annual premiums ranging from $1,100 to about $2,500. One policy ($2,500) included $1 million in a privacy and data breach aggregate limit, breach notification costs included (within the limit), $1 million in credit monitoring service costs, $1 million in computer forensics costs, $100,000 for regulatory action, $50,000 in crisis management and public relations costs, $25,000 in PCI fines coverage, and $5,000 in retention.
Cyber insurance is one of the fastest-growing areas of underwriting right now, Stark said. Yet, only 20 percent of advisor firms have purchased or are considering purchasing a cyber security insurance policy, according to the 2014 Investment Management Compliance Testing Survey, released by the Investment Adviser Association, the ACA Compliance Group and Old Mutual Asset Management.
Like life insurance—where you have to get a physical before getting a policy—insurers will look at what systems you already have in place to combat threats, and premiums will be based on that, Stark said.
Why Are Advisors Vulnerable?
Cyber crime is a growing threat to high-net-worth and affluent individuals in particular, O’Farrell said.
“With more affluent clients, it used to be that they were almost completely immune to crime: They lived in better neighborhoods; they lived in gated neighborhoods; they lived in areas where there was more police,” he said. “With the new generation of malware, now these crooks don’t have to come to your neighborhood. They can be from the other side of the world. And they’ve got so many advanced tools.
Also, the type of information the affluent have is more valuable to criminals, O’Farrell said. It’s not just credit card information or Social Security numbers they’re after. It’s access to bank accounts and secrets—information that could be sold or ransomed back to protect the individual’s reputation.
“So it kind of pushes financial advisors and wealth managers right to the top of the heap because they are like small enterprises with no security. You can attack a financial planning firm or you can attack a wealth management firm with one piece of malware or a phishing email, a spear phishing email. They’re very unlikely to detect it, very unlikely to stop it.”
Advisors are aware of identity theft and cyber crime, but they’re not doing enough to act on it, O’Farrell said.
“They’ll tell you, ‘I have anti-virus software in place, and I use LifeLock or I recommend LifeLock to my clients,’ as though that will provide any protection against these crooks.”
Seventy-eight percent of investment advisor firms don’t benchmark to a specific industry IT security/control framework, according to the Compliance Testing Survey. Of the over 350 responding firms, two-thirds of firms lack a standalone cyber security policy. In addition, 80 to 87 percent of firms have not adopted a formally documented incident response plan, while 66 to 69 percent of firms lack a formal intrusion detection program (managed internally or externally).
How do advisors stay on top of cyber security? The SEC’s questionnaire, perhaps, is a good place to start.
“Layer your practice in security, with a special focus on employees and data,” O’Farrell said. “Security must be built in to every decision, action, and discussion.”
Talk to your clients about security, O’Farrell suggests, and let them know what you’re doing to protect them and what they could do to protect themselves. That candid conversation builds confidence and trust. And you’re more likely to be forgiven if an incident occurs.
“When you experience a data breach, you’re the victim, but everybody treats you like you’re the criminal,” Stark said.