FA Playbook

More financial advisors are upping their cybersecurity, insurance ante

Here's another line item for your "things to discuss with my financial advisor" checklist: cybersecurity.

With the financial services industry consistently considered a prime target for cyberattacks, some financial advisors say the electronic safety of personal data and assets should be part of the client-advisor conversation.

"I think clients should be asking questions about whether [their advisor] has thought about cybersecurity and has set up policies and procedures to mitigate the risks," said certified financial planner Abe Ringer, principal and founder of Breakwater Financial.

"The steps we take to address cybersecurity issues are as important as anything else we do for our clients," Ringer said.

Rafe Swan | Getty Images

While data on the frequency of advisor-targeted cyberattacks are hard to come by, the broader financial services industry was the third-most-targeted industry for cyberattacks in 2015, dropping from first place in 2014, according to IBM research released last year.

Meanwhile, a study released last September by the Financial Planning Association's FPA Research and Practice Institute shows that although 81 percent of advisors say cybersecurity is a high priority, just 29 percent say they are "fully prepared to manage and mitigate the risks associated with cybersecurity."

The research, sponsored by TD Ameritrade Institutional, also shows that just 36 percent of advisors say their teams "fully understand the issues and risks" related to cybersecurity.

While perhaps in the minority, Ringer is among those advisors who count cybersecurity among their priorities. For starters, he pays a firm that specializes in IT and network security to protect his office system with a strong firewall and 24-7 monitoring.

"This stuff is so complicated, and it's really not something anyone should try on their own," said Ringer, who launched his own firm last year and runs a small operation.

Among other safeguards, he requires verbal confirmation for client transactions and he never uses Wi-Fi in a public place.

More from FA Playbook:
Retirement saving remains a challenge for many women
What Trump's economic agenda means to you
Will students with student debt benefit under Trump?

"Clients trust us with a lot of information, and we have to keep it safe and be good guardians of that information," Ringer said.

Even one of the simplest forms of communication between advisor and client — an email — is vulnerable to cyberattack.

CFP Michael Resnick, senior wealth management advisor at GCG Financial, said that any time he sends sensitive data to clients via email, he sends it encrypted to add a layer of protection. While it adds a step to a client's ability to access the email's contents or its attachments, Resnick says it's worth it.

"As a client of mine [who works in cybersecurity] describes it, an email is the modern-day version of a postcard," Resnick said. "Anyone can read it."

Often, sensitive client information resides on a personal finance website that aggregates client data from different banks, credit cards, brokerage accounts and the like. While no transactions take place through these third-party-run personal portals, a cyberattack could compromise client data and potentially lead to financial losses due to identify theft or other criminal activity.

Ringer, for his part, decided to add an additional layer of cyber protection for his clients by turning to insurance.

While many advisors carry "errors & omissions" insurance to cover them from various forms of liability, Ringer has gone a step further into relatively uncharted waters by purchasing a cybersecurity rider on his E&O policy.

For starters, the additional coverage limits his liability if his clients' private data — such as Social Security numbers, birth dates and bank account numbers — are compromised at the third-party, web-based personal portals used by his clients.

"If there's a breach at that provider, I'm the one who recommended it, so potentially I could be liable," Ringer said.

The reason an advisor's liability should matter to clients is that, depending on the size of a financial loss due to a cyberattack, an advisor could be unable to personally cover the loss incurred.

Which brings us to another aspect of cybersecurity coverage: protection against wire fraud.

Samuel Boyd, CFP and senior vice president at Capital Asset Management Group, is considering this type of coverage in addition to his existing E&O insurance. While horror stories about advisors' clients suffering losses due to cyberattacks are rare, Boyd has a friend — a fellow financial advisor — whose client was a victim.

The onus to make sure client information is protected is on the advisor. You have to have risk management, and if you can't absorb the risk, transfer it to an insurance company.
Samuel Boyd
senior vice president at Capital Asset Management Group

As Boyd tells it, one of the advisor's office associates received what appeared to be an email from a client requesting a large wire transfer. The message was even connected to previous emails between the client and the associate.

"It looked completely legitimate; even the sign-off was the exact same," Boyd said. "It was the perfect forgery."

The associate did the paperwork and submitted the transaction per protocol, and the money was wired to the requested account. As soon as the mistake was discovered, the advisor turned to his E&O insurance.

He was prepared to pay his $7,500 deductible but discovered that his policy excluded wire fraud. The advisor was on the hook for $47,000, Boyd said.

"The onus to make sure client information is protected is on the advisor," Boyd said. "You have to have risk management, and if you can't absorb the risk, transfer it to an insurance company."

As insurance companies wade into the cybersecurity area, the Securities and Exchange Commission has put financial institutions they regulate on notice that cybersecurity continues to be an area of focus for its compliance officers.

Although not all financial advisors fall under the SEC's jurisdiction, those that do are expected to comply with regulations that address preventing identity theft. Additionally, the SEC issued guidance in 2015 that said advisors should be considering cybersecurity part of evaluating their regulatory compliance requirements.

But according to the TD Ameritrade-sponsored study, just 18 percent of advisors are very confident that they would pass an SEC cybersecurity examination if one were administered at the time they responded to the survey.

Boyd, for one, says that while industry leaders and regulators try to stay on top of evolving cyberthreats, keeping up with creative criminals poses a challenge.

"It's hard for regulating authorities to imagine, so to speak, what the next big fraudulent activity is going to be," Boyd said. "The criminals' fraud is only limited by their creativity.

"I don't think the industry has caught up with the level of cyberthreat that's out there."