When clients ask what advisers are doing to protect their data, only the firms that can give a satisfying answer will build trust with investors
Advisor Armor Opinion
As the most tenured and largest provider of cyber security compliance in financial services our empirical evidence indicates ZERO correlation between information technology spending and technical controls with data security failures and successful compliance examinations.
Governance procedures and technical controls must be reasonably tailored to conducted assessments. Commonality certainly exists but one size does not fit all and controls must change to model current risks.
Jan 12, 2019 @ 6:00 am By Ryan W. Neal
After spending most of a decade offering guidance and stern warnings, regulators are ready to put enforcement muscle behind cyber security rules.
A flurry of activity in 2018 at federal and state levels has many legal and security experts expecting 2019 to be a watershed year for holding firms accountable for clients' digital data. Penalties are coming for advisory firms that don't do enough to prevent a data breach or don't respond to a breach effectively.
The Securities and Exchange Commission is leading the charge. The agency took several actions in 2018 that should alert every adviser that any grace period in adopting data security controls has expired.
"The honeymoon phase is over," said Askari Foy, managing director of ACA Aponix's global regulatory cyber security practice and a former SEC associate director. "As they identify issues, they're less likely to be friendly, for lack of a better word. They tend to roll up their sleeves and really dig into the issues, particularly if they smell blood or sense potential harm to investors."
No alarm rings louder than the SEC's Sept. 26, 2018, announcement that Voya Financial Advisors would pay $1 million to settle charges relating to a 2016 scam that compromised the personal information of thousands of customers. It was the first time the SEC enforced its "identity theft red flags rule," which has been on the books since 2013.
Even though Voya had a cyber security policy in place and responded to the breach within a matter of hours, it wasn't good enough for the SEC. The regulator said Voya's cyber security policies and procedures were out of date and failed to do enough to ensure they applied to the entire workforce of financial advisers.
This issue of scant policies or ineffective effort is common throughout the industry and it's exactly what the SEC wants to eliminate. For many advisers, cyber security is just another compliance procedure — put a policy in place, do some basic training, check off the box and move on to more pressing business issues.
"Firms have cyber security policies, they get one from an attorney or compliance firm. The policy looks great, but it doesn't actually reconcile to reality in any way," said Sid Yenamandra, CEO and co-founder of cyber security firm Entreda.
For example, the policy may say advisers can only access the firm's network using a secure connection such as a virtual private network, but there are no checks that the policy is actually followed, he said.
Entreda's experts, who have provided data protection software and training services to thousands of advisers, see a lot of lip service paid to cyber security.
"People talk about having a good cyber security policy, but who is actually implementing it? Our view on this entire issue is we tend to see there is a false sense of security that a lot of firms have," Mr. Yenamandra said.
These firms are more vulnerable to an attack, and this year they also could face stiff fines and censure. Regulators' gloves are off, and they are ready to crack down.
Advisor Armor risk assessments and profiles create suitable policies and procedures which describe how firms manage and care for valuable information. These policies are then tested and maintained by Penetration Testing, Endpoint Security Audits and Employee Awareness Training and Testing. Our Assurance Service certifies and attests to the implementation of the described policies and procedures.
2018 warnings to heed
When the SEC first developed regulations regarding email communications, it gave firms a few years to acclimate to the new rules and get programs in place. As guidance became more detailed and rules more specific over time, that's when sanctions started coming. Regulators are following a similar pattern with cyber security, said Kim Peretti, co-chair of law firm Alston & Bird's national security and digital crimes practice and its cyber security preparedness and response team.
"Investment advisers and broker-dealers of all sizes may be under scrutiny and should expect more enforcement actions moving forward," she said. "For registered investment advisers and broker-dealers, the primary implication of this focus is that the SEC will continue to expect more mature cyber security programs that adapt to the changing threat environment and appropriately manage and communicate risks to investors."
The agency last year named cyber security as a priority in its examinations of investment advisers and brokers; asked Congress for an additional $52 million to expand personnel, including four people dedicated to cyber security; and issued new guidance on public companies' obligations to disclose cyber security risks and incidents, updating its previous guidance issued in 2011.
The SEC published a report last year detailing an investigation of nine undisclosed public companies that fell victim to cyberfraud and collectively lost nearly $100 million. Though no charges were filed, the report served as a stern warning to consider cyber security when implementing internal account controls and specified the exact rule — Section 13(b)(2)(B) of the Securities Exchange Act of 1934 — that holds firms accountable.
It isn't just the SEC getting tougher with cyber security. In August, the Financial Industry Regulatory Authority Inc. censured and fined a small broker-dealer $50,000 for having inadequate procedures for preventing hackers from transfering money from client accounts. In December, the self-regulatory organization updated its 2015 report on cyber security best practices for broker-dealers.
State regulators are making their own rules. Since New York issued rules requiring financial institutions to establish cyber security programs, the number of bills and proposals addressing cyber security at the state level has continued to grow. According to the National Conference of State Legislatures, 265 bills were introduced in 2018, up from 240 bills in 2017 and 104 in 2016. As of Nov. 6 (the latest data available), 52 of the bills proposed last year became law.
Advisor Armor Coverage models current state consumer data security protection expectations for All states including those recently instituted by New York, California, Oregon, Massachusetts, Florida, etc.
The increased activity provides a window into where regulators are focusing their energy and what future enforcement actions might involve.
For example, the SEC's February guidance on disclosure obligations and subsequent charges against Yahoo — $35 million for failing to disclose a cyber security breach — show how seriously the regulator wants firms to report data breaches. According to the New York Times, only 24 public companies (across all industries) reported breaches to the SEC in 2017, but researchers believe more than 4,000 breaches occurred.
The Voya charges reveal another common weakness, specifically for financial advisers. It's not enough to just have a cyber security plan in place. Regulators want to see firms continually testing, reviewing and updating cyber security policies and procedures to ensure they remain effective as threats evolve.
Another area of focus, as evidenced by the SEC's investigative report and Finra's updated best practices, is compromised business emails — an increasingly popular attack method in which hackers pose as corporate executives or third-party vendors and use emails to trick other employees.
"There's been an increasing focus on the nexus between cyberintrusion and cyberfraud," Ms. Peretti said.
Preventing harm due to phishing scams requires firms address human susceptibility to such scams in addition to the technology element itself, she said.
Finally, the Voya breach was caused by hackers impersonating an independent adviser and using the custodian's support line to reset passwords and gain access to the system, illustrating the vulnerability from third parties.
Regulators want advisers to have an inventory of everyone who can access their data, including both third-party technology vendors and independent contractors.
Advisor Armor provides Email Enticement (Phishing) Testing and Training. Thousands of customized phishing emails, consistent with and relevant to financial services, provide a realistic challenge that builds practical resistance to the single largest intrusion threat facing financial firms today.
Where advisers can improve
The good news is that the financial services industry has done a pretty good job of adapting to new cyber security requirements, at least in comparison to other industries like retail, said Robert Cattanach, partner at law firm Dorsey & Whitney.
Where it's most often falling apart is with the smaller registered investment advisers and broker-dealers.
"Modest-sized companies lack the resources to really make good on their paper policies," Mr. Cattanach said. "Someone can gin up the right-sounding IT governance policies and procedures. But it's a whole additional step to make sure they are followed."
At smaller firms, there can be a sense of fatigue and helplessness when it comes to cyber security, because even the largest companies get hacked.
"There is this general feeling of, 'Holy cow, how can I, this little RIA out here, protect [against a breach] if these large institutions can't?'" said Wes Stallman, provider of cloud-based cyber security for advisers. "I do think that causes some frustration."
Experts said the adviser mindset should not be fixed on trying to safeguard data 100% because, with attacks always evolving, it's less of a matter of "if" and more of "when" there's a breach.
Regulators understand this, and really just want firms to have checks and balances in place to ensure they are doing the best they can to prevent breaches. More importantly, regulators want firms to have an up-to-date and battle-tested plan for an effective and timely response to a breach.
Advisor Armor has managed hundreds of client data security incidents over the past 3 years. Our history with Red Flags/Identity Theft, allows us to efficiently navigate the murky regulatory requirements for physical and electronic breaches. And our incident response coverage satisfies the regulator requirement for tested procedures.
Finra's December update to its best practices includes a new appendix to help small firms adopt and implement cyber security controls. When used alongside Finra's previously released small firm cyber security checklist, it should give smaller advisers an effective guide to remaining compliant.
The bigger challenge is how to get all financial advisers to move beyond the lip service and actually realize that cyber security is something more important than another compliance chore. The key to that may lie in thinking of cyber security as a competitive advantage, Mr. Yenamandra said.
Clients are going to increasingly ask what advisers are doing to protect data, and firms that can give a satisfying answer will build trust with investors.
"Cyber security needs to be viewed as not only an operational risk but also a strategic function," he said