Risk management

‘We all need to be better’: Financial advisers confront flaws in their security posture

Icicles hang on a Charles Schwab sign January 10, 2001 in Lexington MA. Financial advisory firms face distinct risks tied to cybersecurity. (Photo by Darren McCollester/Newsmakers)

According to the Bureau of Labor Statistics, there were more than 218,000 personal financial advisers operating in the United States as of September 2021. And that number is expected to grow at a mere 5% in the decade between 2020 and 2030, since so many customers rely on automated services.

Such leveling of the profession creates an urgent need to establish trust among customers, which in turn makes a potential breach all the more damaging.

“It’s so important to remember that cybersecurity is a constant risk,” says Nick Santora, CEO of Curricula, speaking to the discreet approach of many financial advisers. “You can’t ‘win’ in cybersecurity. You can only build progress towards a better defense. For financial services institutions and across the industry, many people tried to solve the problem of cybersecurity as if security and compliance were one in the same and responded by implementing technology to check the box.”

In the first part of this series, SC Media examined the increasing threats facing financial advisers. Here, we examine the particular factors that may place financial advisers in a more precarious position, ultimately managing lost business, customer attrition, lost revenue, systems outages and a struggle to win over new customers.

Simply put, said Rodrigo Macias, partner and leader of the advisory services at MGO, a professional services firm focused on cybersecurity, better effort needs to be put toward minimizing risk, because many firms are not in a position to manage the impact.

The inevitable 'level of inconvenience'

Mike Morris, principal with Wipfli LLP said that, “Unfortunately, security often comes with a level of inconvenience,” as it does across various financial channels and services.

“However, tightening email filters, providing users with regular cybersecurity training,” he said, “and using multifactor authentications on all critical applications and remote access can help reduce the risk and the impact that these types of attacks pose.”

Santora points out that technical controls are “extremely important in any security program, but they’re not the ultimate answer.”

“We all need to do better,” he said. “We can’t just buy software or implement technical controls and expect results. We now know that we need better security awareness training which involves the industry working together on understanding the problem from a new angle.”

Sameer Ansari, a managing director and Deloitte's leader of U.S. cyber & strategic risk services for the investment management sector, said that as financial advisers increasingly “rely on technology to further enable and automate their business processes, the cyber threats to their business have also skyrocketed. While cyber threats are similar across financial services, there are differences in how financial advisers see those threats.”

John LaCour, principal strategist with HelpSystems, pointed out that financial advisers often have access to broad client financial portfolios. “Many advisers often communicate with clients via email which is especially susceptible to attackers intercepting those communications,” he said, “and pretending to be either the adviser or client – often resulting in money being misdirected to the attacker.” LaCour adds that many independent financial advisory firms are small and “simply don’t have the resources and expertise to implement a robust cybersecurity program.”

Sameer Ansari, a managing director and Deloitte's leader of U.S. cyber & strategic risk services for the investment management sector, says that “cyber threats to financial advisers can span the front office [such as] robo-advisers and portfolio management to the middle office like compliance reporting, payments and settlements and risk models [to the] back office with fund accounting, reporting, HR, finance and marketing.”

Financial advisers could easily suffer distributed denial of service [DDoS] attacks during market hours while they may be trading customers’ stocks, or the threat of malicious insiders working to exploit their settlement. Another potential threat vector, according to Ansari: ransomware or data theft ploys could target the data of high net-worth clients or the trading algorithms used by the advisory service itself.

Prior to COVID-19 pandemic disruption, most financial advisers were already pursuing digital transformations driven by market needs. Since then, financial advisers’ transformations have accelerated, adopting public cloud and increasing commitment and investment towards digital security improvement in cloud, hybrid and on-prem settings.

Ansari says he sees most “financial advisers taking a threat-based view of their digital operations, working to understand how they can create layered security approaches to help mitigate cyber risks and to leverage public cloud adoption to increase digital agility and automation to get their technology platforms to market faster.

"For financial advisers as well as broader FSIs, organizations are continuously looking at ways to reduce the friction that exists between security, fast-paced digital transformations and end-customer interactions,” he said.

This is part two in a three-part series that examines the specific security challenges facing financial advisers, and the approaches they can take to protect networks and data amid unusual times. Click here to read part one, and check back tomorrow for the final installment.

prestitial ad