A new study by the North American Securities Administrators Association found only 4 percent of small to mid-sized RIA firms have experienced a cybersecurity attack. And only 1.1 percent of the 440 firms surveyed had experienced theft, loss, unauthorized exposure, or unauthorized use of or access to confidential information.
But others say those numbers are simply too good to be true.
“I don’t believe it for a second,” says Neal O'Farrell, the founder of cybersecurity firm Privide. He notes that across all industries, 80 to 90 percent of businesses have reported incidents and breaches. “It seems like a bunch of people patting themselves on the back, maybe to avoid more regulations,” he added.
Perhaps the biggest reason for the low percentage of reported breaches is that NASAA’s study—which surveyed state-registered investment advisory firms with less than $100 million in assets—relied on self-reported data. Smaller firms often don't have IT staffs and may not even be aware of threats on their systems. The firms said they had not been breached, but O’Farrell says many times companies are the last to know if they’ve been hacked, including large national firms like Target and, more recently, Home Depot.
“They [Target and Home Depot] saw nothing,” he says, noting it was only after tens of millions of customer emails were suddenly for sale on the black market that it triggered an investigation and eventual notification. "The notion of saying that we haven’t been hacked because we’ve not noticed a breach is nonsense,” O’Farrell says.
O’Farrell says the lack of detection instills a “very dangerous false sense of security,” especially since 37 percent of the firms surveyed said they don’t conduct any risk assessments to identify threats and vulnerabilities. “If about 40 percent have never conducted risk assessments, how do they know [they haven’t been hacked]? These hackers don’t leave traces.”
“Across all industries, there’s an incredible lack of security,” O’Farrell says. “Most companies are just crossing their fingers and hoping it won’t happen to them.”
The lack of reported attacks can be "misleading and misrepresentative," says Stephen Marsh, CEO of Smarsh, a provider of archiving & compliance solutions. “There really is a big security risk with these small firms,” he says. “In 2014, cyber attacks are one of the biggest threats they face. Financial advisors are not doing nearly enough.”
Another reason for the low number of reported incidents could also be that “data breach” is a very loosely defined term, says John Reed Stark, a managing director at Stroz Friedberg and former chief of the SEC's Office of Internet Enforcement. “I’d be surprised if they haven’t seen even phishing scams, which can be the first strike” he added.
The RIAs surveyed also are likely to only have a small information technology staff, Stark says, which makes it very difficult for the firms to spot breaches. “I can’t tell you how many times I’ve been at firms and their IT staff is looking right at the remnants of some sort of attack and they’re still very skeptical that they’ve been attacked.”
More concerning is almost one in four firms in the study don't have policies or procedures in place to deal with cyber breaches, according to the survey results. “And the other three [out of four of the firms] have policies that aren’t worth the paper they’re printed on,” says O’Farrell. The financial services industry in particular is focused on “checking the box,” he says, rather than the round-the-clock, vigilant checks that are needed to catch attacks.
Having policies and procedures is the very minimum a financial firm should do, along with conducting regular risk assessments and purchasing insurance, Stark says. “A security assessment is the equivalent of a health check-up,” he says. “Insurance coverage is like health insurance for today’s financial firms. The work streams that result after an incident could cripple a company without insurance.” According to the survey, 67 percent of firms do not currently carry insurance coverage for cybersecurity.
Regulators also are closely looking at how firms are handling cybersecurity, including the SEC’s emphasis on cybersecurity examinations. The model examines a number of areas, including firms’ policies and procedures, protection of networks and detection of unauthorized activity. “Only a very small number of advisors can meet that threshold,” says Stark. “Security should be better, but you have to believe IT security at firms is going to be top-notch. If it’s not, the firm might have to pay the price.”
And budget concerns are not really a valid excuse. O’Farrell says the best protection against cybersecurity criminals doesn’t necessarily have to be expensive. It’s about vigilance. “Everyone in the firm has to live and breathe security,” he says. And for smaller firms, size can actually work in their favor. The fewer people you have in the firm, the fewer “weak links.”
The lack of security around email is also cause for concern, says Marsh. About 92 percent of these firms are using email to contact clients, but only half are using secure email and only 39 percent are using encryption, he pointed out. “You can do that for free,” he says. “If you look at Target, they’ve taken extensive steps and still got breached and some of these small firms are doing nothing.”
NASAA’s results are from a pilot project based on data from nine states. Additional states and Canadian provinces have been given the survey to administer within their jurisdictions to give NASAA a more complete picture.
The survey attempted to get a real-world, baseline level of knowledge around firms’ policies and procedures regarding cyber security, says Bob Webster, director of communications. The numbers are likely to change based on a larger dataset, but he says he doesn’t anticipate significant deviations.
“There’s a benefit to continuing to bring awareness to the issues,” says Valerie Mirko, NASAA’s deputy general counsel, noting that the project was truly a pilot and captured only 440 firms out of the 17,000 state-registered firms. Mirko called the results “phase 1.0,” adding NASAA hopes to continue the conversation around the data collected and cybersecurity issues.