FA Playbook

Financial advisors: Strengthen your data security practices

The person most likely to compromise your firm's IT systems is probably working for you.

About 70 percent of data breaches involve a compromised user at a given firm, said Craig Watanabe, senior compliance consultant at San Diego-based Core Compliance & Legal Services.

He shared best practices for financial advisors on cybersecurity at the recent Schwab IMPACT conference in San Diego.

Treat cybersecurity as a problem you tackle from the inside. "Providing user awareness training frequently is key to stopping many cyber-attacks from occurring," said Watanabe.

Financial advisors are especially anxious about these risks. The Securities and Exchange Commission has performed sweeps of broker-dealers and registered investment advisory firms to learn more about their cybersecurity practices and governance.

Here are some specific steps advisors can take to protect themselves from hackers — and to overcome a breach, in case it happens to you.

Understand your protocol

Get to know your firm's cybersecurity program: What are the policies and procedures that you currently have in place? What are your risks? How do you mitigate them?

Michelle Jacko, CEO of Core Compliance & Legal Services, suggested hiring an information technology specialist to conduct a vulnerability assessment and take a close look at your internal controls to identify any security gaps.

Understand your program governance, particularly who has the right to access client files, firm data and other books and records. "We need to think about how do we turn off that access," said Jacko. "Do we have the ability to wipe devices and protect clients' information?"

Ensure that your anti-virus software is up-to-date. Make sure that your computers are set to automatically lock out users after a reasonable period of inactivity.

Finally, loop in your employees through training. Be sure to discuss remote access and how to safeguard personal devices. Training on best cybersecurity practices works best when delivered in the context of the employee's home device, said Watanabe.

"They're more engaged," he said. "If they learn those principles of good cyber hygiene, they'll carry it over into the workplace."

Encryption is everything

"Hackers have all of the advantages," said Watanabe. "However, there is one area where defense has an advantage: encryption."

For an example of the power of strong encryption, look no further than Apple's fight with the U.S. Federal Bureau of Investigation as the agency sought to unlock an iPhone belonging to a gunman in last year's San Bernardino attacks.

"The takeaway there is how robust even consumer-level encryption is," said Watanabe. "The weakest link in cybersecurity is the key."

Code-breaking programs can crack an eight-character password in 15 minutes, according to Watanabe. Strengthen your passwords, and consider the use of two-factor authentication.

If they can afford it, firms can use intrusion-detection monitoring to determine whether outsiders have made hacking attempts, said Watanabe. Keep an eye on your firewall logs for unusual activity.

Firms can also use "data honeypots," which are pockets of seemingly attractive data meant to ensnare hackers.

Have a plan for recovery

Let's say that a client contacts you and says that they suspect they've been hacked.

Call your lawyer and determine how to best proceed, said Jacko. You could be dealing with a variety of agencies, including the SEC, state securities regulators and state privacy laws.

Be sure to review evidence from your log files, intrusion detection systems and your firewalls to discuss with your security specialist and determine whether you've had any suspicious activity in your systems, said Jacko.

When working with your security expert to recover from your data breach, make sure you preserve your evidence.

"There could be litigation or a regulatory inquiry if the customer is harmed," said Watanabe. "Image your system as soon as possible so that you can determine what happened and support your contention if you have to defend yourself."

Don't cut corners on IT expertise. You'll need to clean your systems and get rid of any vulnerabilities hackers may use as a back door into your system in the future, said Watanabe.

"This is why you need good external help to eradicate the problem," he said.