Our industry talks a lot about professionalization, but when it comes to even the basics of cybersecurity, there is so much more that needs to be done.
The 2023 Advisor Software Survey from Inside Information and Technology Tools for Today found less than a quarter of advisors use cybersecurity software, while about 83% make use of financial planning tools. The survey gives us a good example of how advisors prioritize cybersecurity, relative to other parts of their tech stack. And while a bigger industry-wide spend on cyber defense can only help, this is as much a problem of human behavior as it is in software. Firewalls and encryption can only do so much without people and process.
In other words, people who steal sensitive client data aren’t usually hackers taking advantage of sophisticated exploits. It is more likely they took advantage of internal lapses in procedure, or ineffective management of employee access to data.
Better Data Hygiene
In my experience, one of the most cost-effective ways for RIAs to mitigate the risk of cybersecurity breaches is to evaluate policy, and the way advisor technology intersects with policy. In other words, start asking questions like, “How frequently are passwords changed?” “Are there distinct roles and access levels defined for different logins, or does everyone get to see everything?” and “How is the access of departing employees handled and revoked?”
These are questions for your vendors, but they’re questions to ask yourself, too. The answers can help you build a culture that brings cybersecurity into your day-to-day operations and decision making.
If you’re still not sure where to begin thinking about cybersecurity, look at points of transition with your business data. If you migrate from one CRM solution to another, you need to make sure that no data or vulnerable logins remain on the legacy system. When you back up data, your backups need to be at least as secure as the source. Your primary tech tools can have all the security in the world, but it won’t help if it’s backed up to an unprotected environment. And bad actors know it, too: an IBM study released this year found 82% of breaches involve data stored in the cloud.
Avoiding More Homework From Regulators
Why should you go to the trouble of investing money or time into mitigating cyber risk? There’s an obvious answer: RIAs literally manage the entire financial futures of their clients. You should defend their data as vigorously as you defend their financial portfolios. But if that isn’t a strong enough motivator, consider this: if you don’t take cybersecurity seriously, the SEC will force you to. On their terms.
This year, the SEC mandated that public companies must disclose breaches within 4 business days of the event. It can take weeks, if not months, for a business to understand the full impact of any breach. Too bad, say the regulators. Move fast and fix things. The people financially impacted by data breaches need and deserve protection and a swift response when things go wrong. The point I’m trying to make is that regulators will step in and impose costs and burdens if they see the need for them. And sometimes, those costs and burdens can cripple a business. Do some research on the recent history of independent advice in my home country of Australia if you need convincing. Trust me, you would rather have an ounce of prevention than a pound of cure.
Data is not a byproduct of an RIA’s work. It is an asset to be cultivated and protected. As our industry matures, many advisors are now waking up to the value of their data. I hope we are devoting just as much enthusiasm to the training and day-to-day data hygiene that helps safeguard that data, as well.
Adrian Johnstone is CEO of Practifi.