Top 50 Money Managers

Advisors still have a long way to go on cybersecurity: Study

Ilana Polyak, special to
Financial advisers battle cybersecurity

Since the infamous cyberattack on Sony Pictures Entertainment a year ago, business leaders have noticed an increase in hacks both externally and internally, according to a survey conducted by the auditor PwC.

Globally, the cost of cybercrime is estimated to be upwards of $385 billion and those attacks can and do happen in every type of industry, including financial services.

To that point, almost every financial advisor has a story that goes something like this: An email arrives from a client saying they are traveling and unable to call. However, they need a large wire transfer for a property closing or to handle a family emergency.

These emails contain enough personal details that an advisor might think twice.

Zmeel Photography | Getty Images

It happened to certified financial planner Stacy Francis, president and CEO of Francis Financial. A client was on a plane heading to her vacation in South Africa when a request for a $100,000 wire transfer came in.

"With our client in the air, the thief had carte blanche access to communicate with us, and they were very convincing," Francis said.

Francis' policy is never to authorize disbursement based on email alone. She asked for a written, notarized letter and voice confirmation, because "we know our clients' voices." The thief dropped the matter as soon as Francis made her request.

The CNBC editorial team presents our inaugural list of the Top 50 Money Management Firms.

Cyberattacks against financial advisors are growing and getting more sophisticated. A new white paper by External IT, which provides cloud computing to financial services companies, found that advisors are vulnerable in three areas in particular:

  • Security policy
  • Accountability when moving data
  • Disaster recovery

More sophisticated each day

Gone are the days of emails riddled with poor grammar, misspellings and tall tales of inheritances trapped in Nigeria.

Today, cyber thieves try to gain the "keys to the kingdom" in more convincing ways, said Timothy Watters, a CFP with Watters Financial Services. They might lurk in client emails for weeks or months, absorbing details about the client's life and mannerisms, before they strike.

After all, in the famous words of bank robber Willie Sutton, "that's where the money is."

Cybersecurity top of mind for investment advisors

When client emails are hacked, that breach takes place at the customer level. However, that doesn't mean an advisor is absolved from any responsibility. Most are wary of wire transfers because they're nearly impossible to track down and can easily be moved out of the country. Advisors typically want voice confirmation and may even use a voice password.

But then there are the attacks on advisors themselves. The vulnerability lies in the growing complexity of advisors' back-office operations, said Paul Rojek, technology consultant with Pershing Advisor Solutions.

"You've got performance reporting, portfolio management, client relationship management software," Rojek said. "Hackers are able to exploit the complexity of those systems."

Even the best-laid plans can be compromised, and you have to have a plan — if something gets through, what needs to be communicated and to whom.
Bryan Baas
managing director, risk oversight and controls with TDAmeritrade Institutional

About a year ago, Sheraz Iftikhar, managing partner at Arch Global Advisor, received a call from a client who learned that his personal data had been hacked. The thieves had gone so far as to file a tax return. Because Iftikhar uses portfolio aggregation software to see all his clients' accounts, even if he doesn't manage them himself, he was worried those accounts could be vulnerable.

When he investigated, Iftikhar found that there had been a change of address filed on an investment account and a request for disbursement had gone to Pershing, his custodian, though it had not been carried out.

"They were completely bypassing us and going straight to the headquarters," he said.

Advisors take cybersecurity seriously

How do you make sure your financial advisor is taking cybersecurity seriously?

First and foremost, said Sam Attias, External IT's managing director of financial services, make sure your financial advisor has a cybersecurity policy in place. The good news is that in a cybersecurity sweep conducted by the Securities and Exchange Commission, 83 percent of advisors did have a plan, and more than half of them conduct period audits to make sure they're compliant with their policies.

Where things start to fall apart, however, is that the majority of firms are simply mimicking the standards of outside organizations in developing their policies, the SEC found.

What's more, there is rarely a plan for how clients will be made whole again after a security breach.

Adopting best practices

Strong firewalls, encryption and server security should be a given at every financial advisory firm. But some of the biggest vulnerabilities lie with the behavior of end users, meaning both advisors and clients. Investors should make sure they're adopting best practices on their end so that the money they have with financial advisors doesn't get compromised.

Password strength. Choose passwords that you change frequently. If you talk about your kids and your pets on Facebook, make sure you're not using those names for your passwords.

Don't send sensitive information via email. Never send your advisor an email with your account or Social Security number. If you need to make a transaction, pick up the phone. Consider it a major red flag if your advisor replies to an email like this without first scrubbing out the personally identifiable information.

Be careful of mobile devices. It's easy to place a trade on your phone while sipping a latte at Starbucks, but don't. Never trust a public network with sensitive data.

Don't get annoyed. If your advisor follows up a request for money with a phone call and asks you tons of questions to verify your identity, be thankful that he or she is taking cybersecurity seriously. — I.P.

"If the advisor didn't verify a request [for disbursement] and is acting only on an email, we will hold him or her responsible," said Bryan Baas, managing director, risk oversight and controls with TD Ameritrade Institutional, a custodian for advisor assets.

Another issue to parse out with your advisor is what their disaster recovery plan is. "Even the best-laid plans can be compromised, and you have to have a plan — if something gets through, what needs to be communicated and to whom," Baas said.

Will an advisor provide credit-monitoring services? Will he or she help you untangle instances of identify theft that occur as a result of the breach?

Mounting costs

In September, the SEC settled with St. Louis-based investment advisory R.T. Jones Capital Equities Management for failing to have cybersecurity and recovery policies. The firm stored clients' and other people's personally identifiable information on a third-party hosted Web server without adopting written policies about cybersecurity. The server was attacked, and hackers gained access to the information.

To be sure, cybersecurity can be pricey. Between multiple servers, firewalls, encryption and audits, Iftikhar of Arch Global Advisors estimates his IT costs have soared tenfold in the last five years. There may be no way to get around it. "It's an expense, but it's an expense we have to incur if we're going to protect our clients," he said.

Some smaller firms may try to do cybersecurity themselves with software, but many outsource the security function to a consultant, a cheaper option than hiring a full-time person. "You don't want to be flying solo on this," said CFP Brian Power of Gateway Wealth Management. "Having a computer consultant as part of your firm is probably a good idea."

Is your advisor prepared to handle cyberattacks?

Over the last few years, Power and his partner have been buying up smaller financial advisory firms whose owners are nearing retirement and looking for a succession plan. "That's partly why some smaller firms want to align with us," he said. "They don't have the infrastructure in place to deal with this."

Periodic audits can add even more to the cost, said Francis at Francis Financial.

"We're hiring a separate IT company than the one we use for IT to make sure that we're staying on top of what we need to stay on top of," she said.

As expensive as cybersecurity can be, the cost of skimping can be even more expensive if it results in a data breach.

— By Ilana Polyak, special to