How RIAs respond to customers in the aftermath of a data breach is crucial but wrought with confusing or no requirements
Your registered investment advisory firm was hacked last night, and now you’re sitting in an all-hands-on-deck meeting. The CEO is calm. Your crackerjack IT team identified the breach immediately, and technicians are working with custodians to limit the damage and understand exactly what happened.
The good news: No money is missing from client accounts. The bad news: Clients’ names, Social Security numbers, birthdays, and addresses were all taken, as were other details yet to be determined. Your CEO, a true fiduciary, insists your firm has an obligation to notify clients about the hack.
The real question is what to tell them. The statutory requirements are confusing. The impact of the breach may take months to understand as techies try to identify how the hackers breached your perimeter and exactly what they took.
And in the immediate aftermath of an attack, only one thing is clear: If you tell clients “We’ll pay for credit monitoring for 12 months,” then you don’t understand the problem.
Regulation S-P requires wealth-management firms to implement “reasonable safeguards to protect a client’s nonpublic information,” says Brian Hamburger, chief executive of MarketCounsel, which consults with RIAs and broker-dealers about their compliance obligations.
But the Securities and Exchange Commission, which enacted Regulation S-P, doesn’t define “reasonable safeguards” according to Mr. Hamburger.
Nor does the agency stipulate what actions are required after a breach, he says, explaining that the SEC has prosecuted only one RIA in recent years for failing to put reasonable safeguards in place to protect privileged client information.
Mr. Hamburger notes that the Financial Industry Regulatory Authority and a number of state regulators have brought actions, independent of the SEC.
But state laws vary, he says, and questions of jurisdiction sometimes cloud the requirements, like whether the client’s home state or the adviser’s place of business determines the company’s obligations.
Purely from a regulatory perspective, you could be sitting at your desk in New York City and be obligated to tell clients in Oklahoma one thing and clients in Massachusetts another. Yikes. How does that make any sense?
Four Tiers of Cyber-Criminals
It might be tempting to emphasize that no money was taken in the hypothetical breach. But the reality, according to Alex Tilley, the E-Crime Intelligence Lead at SecureWorks’s Counter Threat Unit, is that the hack could be part of a larger multipronged assault that unfolds over months or, in some cases, years and that monetary losses could be slow to become apparent.
Mr. Tilley, whose firm helps its clients defend themselves from cyberattacks, believes criminals are growing more proficient. “What used to be a $5,000 transaction is now a “$500,000 transaction,” he says, referring to the criminal activity.
What happens after a breach depends on the sophistication of the hackers according to Mr. Tilley. He breaks cyber-criminals into four categories, ranking them in an ascending order of technical and criminal expertise.
— “Street-corner” thieves are the least sophisticated and want their money now. Mr. Tilley says they can sell a client dossier, which is known as a “fullz” on the black market, for anywhere from $4 to $30 per person depending on what’s included.
— “Blue-collar” thieves use ransomware to block computer access and extort payments. While these thieves can cost small-business owners hundreds of thousands of dollars, Mr. Tilley discounts their sophistication because ransomware is easily purchased on the black market and because they generally demand their payment in bitcoin, which requires little expertise.
— “White-collar” thieves use sophisticated malware, like “injects” that attach to legitimate websites and steal personal information from unsuspecting users. To launder money, Mr. Tilley indicates that white-collar thieves rely on networks of human “mules” to open accounts and move their loot out of the country.
— “Oligarchs” are the highest tier in Mr. Tilley’s caste system of cybercrooks. What distinguishes them from white-collar thieves are the size of their criminal operations, the number of mules they run, and the sheer audacity of their schemes. Oligarchs, unlike white-collar thieves, target entire banks rather than individual customers.
What to Tell Clients
Sure, no money was taken in the hypothetical example. The reality, however, is that clients are vulnerable until some kind of disruptive technology puts cyberthieves out of business. It’s an uncomfortable message to deliver clients.
You can demonstrate your commitment, though. Mr. Hamburger says one RIA not only offered to pay for credit monitoring but also asked to be copied on what the credit agencies reported. That way, the RIA could be on the lookout for malfeasance along with their clients. This response, however imperfect, strikes me as far more thoughtful than “we’ll-pay-for-monitoring-see-ya’.”
It can also be worthwhile to describe what your firm is doing to identify the source of the breach, what procedures are spelled out in your written security plan, and what security measures you require from third-party vendors.
But procedural discussions after the hack are somewhat underwhelming. It’s like discussing process after a portfolio manager loses 37% on his or her stock picks for the year—which is to say, it’s not especially helpful given the pain incurred.
My view: The better way to retain your clients’ confidence is to show your commitment to cybersecurity before there’s a problem. So rather than buying them steak dinners they’ll regret later, why not spend the same amount of money and pay for their digital password managers instead? It’s a start.
—Norb Vonnegut built his wealth-management career in New York and now writes thrillers about financial malfeasance. Email him at firstname.lastname@example.org. Twitter: @NorbVonnegut