The recent passage of Reg BI comes at a time when the advisor-client relationship is already becoming more collaborative, open and transparent. The future of advice will be one in which clients are empowered by technology to work with their advisors to take further ownership of their financial lives.
In this new world, advisors are not only expected to have their clients’ best interests foremost in all that they do, but are increasingly expected to be accessible at virtually all times via a broad range of communications channels, including mobile devices, online collaboration tools and third-party websites. It’s a foundational evolution for our industry and a generally positive shift that will allow advisors to serve more clients and offer them better service than was possible even a decade ago.
But there’s a catch: The more an advisor-client relationship grows, the greater the risks for the client’s sensitive personal data. Long gone are the days when crucial information sat in a filing cabinet in an advisor’s office, where only a handful of people had access. Now, with documents and other data available to clients and advisors on demand through a range of technology-driven devices and digital channels, sensitive information has become more accessible and easier for cyber thieves to compromise.
In addition, the practice of sharing sensitive data with third-party partners introduces another area of potential vulnerability, even when these partners are well-known vendors. This was recently demonstrated when leading CRM provider Redtail found that it had inadvertently made client information stored by advisors on the company’s CRM software easily accessible to hackers and others online.
Cyber-criminals are also getting increasingly sophisticated in their attacks, moving “downstream” from comparatively well-protected targets like large retail banks and wirehouse broker-dealers to the independent financial advice space, where under-investment in cybersecurity by some firms has left detailed troves of client data relatively accessible. One well-known example in the advice industry was the attack on a large financial institution in 2016, in which the personal information of 5,600 clients was stolen.
Post-Reg BI, this case is even more relevant because it also demonstrates regulators’ recent shift away from offering corrective guidance to firms whose cyber-protections have been compromised and toward imposing punitive fines: the company above not only suffered from lost trust and business as a result of the breach, but was assessed a $1 million penalty by the SEC.
With all these factors in mind, it’s increasingly crucial for IBDs to overhaul their approach to cybersecurity in the post-Reg BI landscape to continue to drive the benefits of technology that advisors and clients want, while keeping everybody protected against cyber criminals. Following are three considerations for any cybersecurity overhaul:
• Prioritize cybersecurity as a core part of the firm’s operating plan. For advisors to realize the vision of the future advisor-client relationship and harness all the value it potentially can bring, broker-dealers must make safeguarding client data a core part of operations and invest in cybersecurity measures in a holistic, top-down and adaptive way that is baked into their strategies at every level.
• Understand that cyber-defense is an arms race that requires continuous focus. As the regulatory and threat landscapes continuously evolve, it is crucial that IBDs maintain an ongoing focus and dedicated, layered approach to cybersecurity. There is no silver bullet for combatting cyber crime, and as technology continues to advance, so will the risks and vulnerabilities. Independent financial advice firms also need to leverage their size and scale to marshal resources and build more comprehensive solutions to anticipate and effectively combat cyber threats. By creating a flexible central technology chassis onto which new solutions can be easily added and old ones removed, firms can quickly identify and close gaps in their defenses.
• Seamless integration of cybersecurity in terms of training, surveillance, continuous testing, devices and software is critical. IBDs should bring together each of these different areas that collectively comprise a holistic cybersecurity defense rather than spending money buying pointed solutions or services that don’t integrate.
Beyond technological solutions, firms should reinforce to advisors that corporate and home-office personnel are on the same page with them in their goal—to protect advisors and clients and put advisors in a position to thrive. To that end, firms should collaborate closely with advisors to ensure they fully internalize best cybersecurity practices into their infrastructure and operations.
The shift toward an expanded advisor-client relationship in the post-Reg BI landscape has already begun. Both sides have come to expect a higher level of accessibility, convenience and transparency in their engagements, but neither would be served well by an “every advisor for themselves” approach to combatting cyber threats.
To accommodate the gamut of cyber preparedness and raise everyone to the same high standard—from smaller practices, to branch offices, to home offices—firms should take full advantage of their scale, resources and reach to implement a unified approach to cybersecurity that is both integrated and highly adaptable. READ