There's a big threat looming for investors — and their wealth managers — that is getting increasing attention: cybersecurity risks that can cost millions of dollars. Regardless of the firm's size, breaches can occur through social engineering, wire transfers and on mobile devices as hackers get more sophisticated.
While clients assume their financial information is protected by their fiduciary advisors, not all firms have taken the proper steps to ensure their data is safe.
Today, financial advisors are not only being watched by cybercriminals, they're also being watched by the regulatory agencies to see how they're handling the threat.
In the Financial Industry Regulatory Authority's (FINRA) annual Regulatory and Examination Priorities Letter, published Jan. 5, the agency identified cybersecurity as a technology management issue under the priority area of supervision, risk management and controls.
The letter states: "FINRA will review firms' approaches to cybersecurity risk management, and depending on a firm's business and risk profile, we will examine one or more of the following topics: governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training."
The Securities and Exchange Commission has also listed cybersecurity as a top priority in its Examination Priorities for 2016 notice because at least 74 percent of advisors have been a target of a cyberattack, according to a recent SEC examination.
Last September an investment advisory firm agreed to settle charges by the SEC that it failed to establish required cybersecurity policies in advance of a security breach that compromised customer data. The firm was fined $75,000 by the SEC, which explained that the breach compromised the personally identifiable information of about 100,000 individuals, including thousands of the firm's clients.
The financial cost of a cyberattack can be stunning and can decimate an investor's portfolio.
A current hot-button issue related to cybersecurity in the financial advising industry is wire fraud, said Michael Kitces, a certified financial planner and director of financial planning for Pinnacle Advisory Group.
Cyber thieves are contacting advisors, pretending to be clients on vacation, claiming they've been robbed and requesting a wire transfer immediately, he said. Fraudsters are hacking into clients' personal emails and looking through their Sent files to gain financial information, and contacting the advisors with phony requests.
"This problem has been ramping up more and more," he said. "This type of fraud is designed to put the advisor in a high-stakes situation — How do you refuse a request from a client in need? As a result, advisors are saying, 'If you ever need a wire transfer, I will call you to confirm.'"
Other big cyberhacking vulnerabilities include downloading files, sharing computers and using mobile devices.
"It needs to be recognized that neither clients nor advisors have the necessary technical knowledge to understand common risks and how to counteract them," said Peter Palion, a certified financial planner and a registered principal with United Planners Financial Services. According to Palio, common cybersecurity risks include:
- Downloading PDF files without realizing there is still a temporary copy in the computer and not knowing how to clean out the cache.
- Using one computer for the whole family — and the kids downloading malware.
- Not realizing the traces of their activities on their mobile devices.
"On top of all that, most of the stuff we need to keep track of is on the Internet itself, such as password managers," Palion said. "Look at account aggregation — everything is in the cloud. Neither service providers nor broker-dealers are providing guidance to advisors or clients."
Considering the risk clients face, it's important they question their advisors to find out what cybersecurity measures they have in place, said Michelle L. Jacko, founder and CEO of Core Compliance & Legal Services, a compliance consultation firm that serves the investment industry.
"They should ask, 'What are you doing to protect my information? Is it vulnerable if an employee leaves? What should I do myself?'" she said.
Ideally, firms should have hired an IT specialist that has conducted a cybersecurity audit and developed a cybersecurity plan that includes procedures on what to do if victimized by an attack, said Jacko. In addition, they should have trained employees to detect identity theft and have cyber liability insurance.
Many money managers are aggressively taking action against hackers. Take Jorge Padilla, CFP and client advisor with Lubitz Financial Group. He has implemented a variety of measures and has even hosted a recent public webinar on cybersecurity for clients and friends.
"We implemented a written information security program that has been incorporated into our policies and procedures to create more clear guidelines on measures we take internally to protect confidential information," he said.
"We also have implemented an online secure vault for sharing confidential information to clients," he added. "This vault is part of our online My Money Life client portal, where clients can see their accounts as well."
In addition, his firm relies on its custodians to provide support and advice on how to best handle any ID theft or breaches on their accounts and websites.
Linda Lubitz Boone, CFP and president of Lubitz Financial Group, shares some of the measures her firm has undertaken to safeguard against data breaches:
- Detecting unauthorized access.
- Reviewing and ensuring business risk is addressed in business compliance procedure.
- Compiling a list of vulnerable vendors (those with access to confidential client data) and verifying that they have information security programs.
- Obtaining cybersecurity insurance in conjunction with E&O insurance.
- Addressing screen-sharing protocols.
- Including lost phones or laptops as potential breaches in attestation and policy.
Cybersecurity is front and center for Steven J. Stanganelli, CFP and principal at Clear View Wealth Advisors. "When I talk with [clients and prospects], I disclose how I deal with security of client data right up front," he said. "I explain to them that I will provide them with a dedicated and secure client folder accessible through Citrix ShareFile, where sensitive information can be shared."
As part of the planning process, Stanganelli also uses MoneyGuidePro software and encourages clients to link their accounts using the Yodlee integration tool, which, he noted, boasts the same level of security used at banks. "Both clients and prospects appreciate it when I mention this," he said. "Many will comment on their concerns about ID theft, especially highlighted during tax season, when there were security breaches reported by the IRS."
Stanganelli's firm also uses encrypted and password-protected hard drives and keeps sensitive equipment in locked offices.
Karl F. Frank, CFP and president of A&I Financial Services, said his firm uses a program called Security Snapshot to monitor all the other software and make sure it is always up to date. The program issues an alert to take action if, within the first 24 hours, a software has not been automatically updated.
In addition, "we have different team members perform the audits of each other to make sure we are in compliance with our processes," Frank said.
The bar has been raised, said Jacko. While there are no regulatory changes pending, expectations are higher and so are consequences.
"The first thing the regulators look for is if you have a cybersecurity plan in place. If you have one, it has to be well thought out and effective," she said.
She added: "I think you'll see increases in regulatory actions, such as audits and fines. Not only that, a poorly protected firm may be on the hook for paying the client back for any losses."
— By Deborah Nason, special to CNBC.com