Regulatory Outlook | 05.26.21
Advisors Race to Prioritize Cybersecurity
In February, the Securities and Exchange Commission’s Department of Enforcement conducted a review of independent broker-dealer Cambridge Investment Research Inc.
Under scrutiny: the firm’s cybersecurity policies.
What specific controls were in place, the SEC asked, to make sure Cambridge's advisory force was not compromised?
Cambridge is continuing to work with the SEC to resolve this matter, according to an SEC filing cited by InvestmentNews.
As it turns out, some of their representatives did have their email accounts compromised due to the widespread Office 365 phishing attack.
The entire industry—indeed, the entire world—across all sectors, is now focused on cyber attacks, specifically ransomware attacks, in the wake of the stunning Colonial Pipeline incident that disrupted much of the East Coast's gasoline supply while providing a blueprint for how to cripple a superpower without getting out of your pajamas.
Cybersecurity long has been a vital aspect of IT operations at banks and the technology firms on which they rely.
Increasingly, though, cybersecurity is becoming its own distinct, hair-on-fire, all-hands-on-deck priority of the highest magnitude, times ten, squared.
After the 2017 Equifax breach, industry members reported a sense of heightened awareness and commitment to more vigilance. But recent episodes, and just crazily-changing times, have led to a double-down of resources.
For financial services firms, entrusted with the identity and assets of families and institutions, this focus has intensified exponentially.
Concerns are reflected in the spending decisions by financial advisors.
According to a survey conducted last year by InvestmentNews, 29% of advisors purchased supplemental insurance to manage cyber-liabilities to augment their existing E&O coverage.
For advisors, a key challenge is finding a balance between assuring clients that best practices are priority, while at the same time, providing the convenience and flexibility that U.S. consumers are becoming accustomed to for financial transactions. Frictionless cybersecurity is a journey, not a destination, industry members point out.
Managing critical security issues such as identity management and access management were complicated by the pandemic shutdown.
The sudden shift to an all-virtual workflow left households increasingly accustomed to handling the most intimate aspects of life—including healthcare, legal as well as financial functions—from smart phone apps and online video conferencing. The rush to embrace the new communications tools has led to catch up for organizations initially left flat-footed.
No Quick Fixes
“After an event enters the news cycle, we immediately see an uptick in client inquiries regarding messaging,” said Wes Stillman, CEO of RightSize Solutions, a Lenexa, Kansas-based cybersecurity firm serving the wealth management industry.
“The questions typically are what are we doing to address this specific type of threat and how can I best communicate to our customers that we are proactively managing this type of threat."
Addressing these concerns can mean helping a client change its culture and adapt.
“Many of the organizations we speak to initially are looking for a quick fix, a product they can buy to solve a problem,” Stillman said.
“We have to help them to the realization that it is really about having a process, having the right procedures and policies in place to proactively manage risk as their needs, and the needs of their customers, evolve."
Communication with customers about security is critical, and some advisors want more than just advice from security providers, seeking to integrate them directly into the customer management and marketing process.
“In recent years, we have been asked by clients to present at events for their customers and prospects with increasing frequency,” according to Steven Ryder, CEO of True North Networks, a Swanzey, New Hampshire-based IT and Cybersecurity firm specializing in SEC compliant digital infrastructure for RIAs.
“We have even been pulled into discussions with individual customers of our clients who have specific needs or concerns that need to be addressed," Ryder said.
Having the ability to manage security is one thing; having the ability to manage security, fully integrated into an existing compliance process? That’s a considerably more daunting task.
True North's clients must be able to easily and efficiently demonstrate security procedures and data to SEC auditors, Ryder explained.
He added that the process of streamlining reporting is particularly critical for financial advisors who operate semi-autonomously within a larger security framework, such as a bank or insurance firm.