Two years ago, the Securities Industry and Financial Markets Association conducted a cybersecurity simulation that mimicked a real attack.
The test included the participation of more than 50 financial firms, as well as government regulators and SIFMA itself.
Now, the industry trade group is preparing for the latest iteration of its test — dubbed Quantum Dawn — this fall.
"We create the spooky scenario," said Tom Price, managing director of operations, technology and business continuity at SIFMA. "It's data destruction. It's fake news coming from the newswires. It's bad data in the processors."
The participants include more than 1,000 individuals across different areas of financial services, including wealth management, in a range of roles including CEO, CFO, chief security officers, crisis management and others.
The simulation is aimed at getting firms to see how well they answer key questions on the fly: How well do they respond to these types of events? Who are the key contacts to talk to in such an event? How is key information escalated within a firm, to the government and law enforcement?
Having those answers is key for financial advisors and the firms they work in, as regulators turned up the pressure on them to have these plans in place.
The SEC has released cybersecurity guidance for the registered investment advisers it oversees. The Financial Industry Regulatory Authority, which regulates broker-dealers, has also issued its own guidance that includes information for small firms with 150 or less registered representatives.
The message: No firm is too small to have cybersecurity protections in place.
"The financial services industry is essential to the economy … We have to be right all the time," Price said. "The bad guys only have to be right once."
For the average financial advisor and their firm, even what may seem like a small oversight can turn into a big snafu.
Brian Edelman, CEO of FCI, a cybersecurity company, said he saw that first hand when one financial services company hired a shredding company to get rid of private documents.
But trouble struck when the documents were stolen and the clients' stolen information turned up on the dark web.
The theft is an opportunity for financial advisors and their firms, according to Edelman.
"Incident response, done the right way, builds loyalty with clients," Edelman said.
Having specific plans in place ahead of time can help minimize the impact an unfortunate event has on your business.
"Nothing is scarier than when the FBI shows up at your office," Edelman said. "If you're prepared for the regulators or the authorities, it's the best thing that can happen.
"If you're not, it's the worst."
Take the loss of a company laptop, for example. A police officer could find the lost item on the street and start an investigation, Edelman said. That could lead to the FBI and regulators also getting involved.
But if a financial advisor and their firm has a plan in place ahead of time, they will know to take the proper steps when the incident occurs. That includes documenting the item's loss and having an incident response system installed on the machine so that it locks itself.
If that is the case, the police officer could leave after seeing proof of the protections in place, without higher level authorities getting involved, Edelman said.
When it comes to cybersecurity, a lot of the emphasis is still on fundamental efforts: having a corporate firewall, anti-virus protection and a secure computer, he said.
"It doesn't cost you money to have a password on your computer," Edelman said. "It doesn't cost you money to have a PIN on your device or to have your device use biometrics … You have to make sure you're doing these things."
Firms also need to have a centralized system in place. That means, for example, having a single button for disabling employees' access to the systems when they leave a firm.
The big questions those businesses need to ask themselves, according to Edelman: How do we protect it, and how do we prove it to regulators and authorities?
Conducting regular tests can help to identify areas where those plans are weak.
"At the end of the day, the biggest threat to the United States is money," Edelman said. "That's what they're after.
"Financial advisors are directly connected to money."
A 2017 SEC report on examinations noted that the staff saw a greater overall cybersecurity preparedness compared to 2014, though there was still room for improvement, the regulator noted.
"It remains an ongoing priority for our board and the industry," said Kenneth E. Bentsen, Jr., president and CEO of SIFMA.