Cyber Security for Financial Firms

September 1, 2016

Cyber Security for Financial Firms

Cyber Security for Financial Firms

The good news is that financial services are one of the top performing industries regarding cyber security. Your firm should realize that cyber security is not always someone on the outside, but trusted insiders could also be a threat. Additionally, a middle ground of software suppliers and contract workers have increased access to your systems without being fully inside or outside the firm. Here are some things to remember:

Regulatory agencies keep us on our toes

There is accountability by outside agencies to keep on top of security issues. These agencies have the authority to fine or even shut you down. This means that taking action is not optional. Along with cyber security procedures, we are also used to obeying regulations regarding risk, technologies, and marketing.

Regulations establish the bare minimum, but when it comes to potential leaks of client information, you'll want to go above and beyond. Being in compliance does not mean that you are fully secure. Consider this evaluation part of your fiduciary duty - where are the potential security holes in your existing data structure or in the way your programs interact with each other?

In our day to day work, we see many potential security flaws.  Almost all advisors have one or more employees with "Admin" rights to the CRM.  As CCO, would you receive a notification if they exported your entire database?  Many advisors also use employees to organize and execute trades.  As custodians and tech vendors are constantly in a race to improve their products, how can you be sure that your employees' trading permissions stay equal across multiple platforms?  If they have the appropriate license allocated now, will they after an upgrade of the software?  Do you allow your employees to text with clients?  If so, how many employees are using iPhones?  It is tough to capture iPhone text messages in a way that meets regulatory scrutiny.

Stay on top of execution and maintenance

It's easy to solve the cyber security problem once and then let it slide after that, but implementing proper procedures without carrying them out is useless in this area. Technology and methods of attack are constantly changing. Updates to your protection and emergency plan will need to be regularly made. Testing should happen to assure you that verification of your solution has been made. Adequate resources should be put toward the creation and testing of procedures. 

Although the above reflects prudent procedures to consider regarding information security/client privacy, you can go above and beyond by making sure to encrypt  specific client personal information.  Specifically, encrypt any electronic communication that contains the client's first and last name in combination with any of the following:

  1. Social Security number;
  2. Driver's license number or state-issued identification card number; or 
  3. Credit/debit card number (with or without required security codes, access codes, personal identification numbers, or passwords that permit access to a client's financial account)

It is your responsibility to confirm that your service providers have taken reasonable steps to maintain all personal client information in a confidential and secure manner. Evidence of such service provider's acknowledgment/obligation may be included in the written contract once you signed up for service.

Expect Violations

You can't expect never to be hit by an attack. When you are hit, you may not be able to block the offense successfully. There are ever changing vulnerabilities of your systems and evolving ways that someone can tap into them. Remember that many breaches happen through trusted vendors.

2-Step Verification helps protect a user's account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or otherwise stolen, an attacker can't sign in without access to the user's additional verification. This verification can be in the form of codes which only the user can obtain via their own mobile phone, or via an encrypted signature contained on a security key.

Even if you have all the right protection in place, your data could be leaked if they are the victim of a successful attack. Get a plan in place to recover lost data and detect any potential threats so you can learn from the attempts to hack into your firm.

Know what others are experiencing

The Financial Services Information and Sharing Center (FS-ISAC) has up to date reports on what threats have been detected in the industry, and the information they provide could save your firm from a similar situation. Also, the SEC and FINRA often hold local compliance round tables.  These are excellent opportunities to take off the name tag and ask the questions you always wanted to know.

Let's remember that part of our business is keeping trust with our clients. Reporting violations will surely put client confidence, and possibly your business, in a vulnerable position.

ALSO READ: "Compliance Is a Sentence, Not a Word" (GUEST BLOG by Elisabeth Miller, Managing Partner, Milava Consulting; Blog / August 26, 2016)


Elisabeth Miller

Milava Consulting

Telephone: (844) 464-5282


Elisabeth is a Managing Partner at Milava where she designs operations, technology, and marketing strategies to help financial firms run more efficiently. Milava is a consulting and outsourced services firm that specializes in providing practical strategies to help financial advisors run more effective businesses. With intelligent tools, Milava helps advisors grow successful firms in less time and with less effort. Elisabeth's expertise includes brand development, marketing execution, infrastructure design, process improvement, and technology integrations for financial advisory firms.

Elisabeth has provided marketing guidance for the development of a range of financial services firms, including large broker-dealers and independent RIAs. Her daily practice of speaking to a number of investment advisors gives her a unique perspective to help clients implement tactics that the best performing firms are utilizing. She closely aligns herself as a partner to each of Milava's clients to better understand their businesses and deliver custom fit solutions.  

Before joining Milava, Elisabeth focused on marketing strategy at Dimensional. During her time at the firm, Elisabeth lead initiatives across financial services reporting, performance analytics, and marketing. Elisabeth received a BBA in Finance from Texas A&M University and holds the CIPM designation from the CFA Institute.

NOTE: The views expressed in this Guest Blog are those of the author and do not necessarily reflect those of Blog.