Independent financial professionals are on the front lines of a real war
Cyberattacks are grabbing more national headlines than ever. Cybercriminals attack anonymously from IP addresses that bounce all over the globe, stealing personal information and identities from individuals, nonprofits, corporations and governments.
High-profile companies like Yahoo, Wells Fargo and Target have faced substantial fines for failure to protect client data; San Francisco’s public transit system was hacked and held for ransom; and the FBI is currently investigating Russia’s involvement in cyberbreaches during the U.S. presidential elections. Events like these keep cybersecurity at the forefront of the national dialogue. This focus comes as the financial industry, part of the nation’s critical infrastructure, is experiencing a tremendous surge in network cyberpenetration.
Cybercrime is the number one risk to the U.S. financial system according to former SEC chairwoman Mary Jo White. Cody Siebert, a financial professional with Siebert and Briggs Wealth Management Advisors, agrees. Siebert is also a special interest group chief for the financial sector of Houston InfraGard Alliance, a collaboration developed by the Department of Homeland Security and the FBI to increase awareness and prevention education. Cybercrime is a real war threatening the financial world, Siebert said. In response to the rising threat of cyberattacks, regulators are stepping up the requirements firms will need to have in place to ensure financial professionals are adequately protecting sensitive client data.
Cybersecurity has been on regulators’ radar for some time. Both FINRA and SEC have conducted sweeps the past few years, evaluating financial service firms’ cybersecurity programs and probing for weaknesses. Both have also introduced cybersafety regulations for financial professionals and levied substantial noncompliance fines. The push for increased cybersecurity measures and regulations by these and other regulatory agencies comes at a time when they are also pushing for a reduction in operating fees.
“This is an almost impossible paradox that will continue to increase vulnerabilities in this critical infrastructure of our country,” said Siebert.
Regulatory agencies aren’t alone in their concerns about cybersecurity. The previous administration also made it a top priority. President Obama’s 2013 Executive Order for Critical Infrastructure Protection called on the National Institute for Standards and Technology to develop a guide that could help businesses with their cybersecurity efforts. The result was the Framework for Improving Critical Infrastructure Cybersecurity, more commonly known as the Framework. The Framework is consistent with the standards or requirements of most regulatory and enforcement agencies, including FINRA, the SEC, FTC and the FBI.
Although there is no one-size-fits-all approach, the Framework can be adapted to companies of all sizes. There are also Framework-related resources created just for smaller companies. The Securities Industry and Financial Association offers one for small businesses, and FINRA offers a downloadable Checklist for a Small Firm’s Cybersecurity Program at its website. Broker-dealers should also have resources and protocols to help their financial professionals comply with the various regulations.
Establishing a cybersecurity program is crucial to protecting client data. Some steps financial advisors should take include: reviewing vendor relationships, conducting regular staff training, and establishing a communications or incident response plan in the event of a breach.
No matter where a breach occurs, the result will still be the loss of client data and, at the very least, damage to your firm’s reputation. Managing third-party (or even fourth-party) vendors should be part of a cybersecurity program. Everyone who has access to your clients’ data must have access controls in place. Your broker-dealer may have a list of vendors who have met its security standards.
Regular employee training is important as successful hacks are often the result of employees’ online activities. Employees surfing the internet assume certain websites are safe to visit. But even downloading a coupon could open the door to your company network.
“Most cyberbreaches happen through the actions of company staff. That’s a company’s highest risk,” Siebert said.
You should also identify potentially vulnerable data in your office. Think of what cyberthieves want – personal identity and account asset takeover information. Is your client document storage, whether hard drive storage or paper file format, at risk? Do you accept credit card payments?
“All this is enticingly breachable data,” Siebert said.
What happens after a breach is just as important as what happens before a breach. You should have an incident response plan in place—and stress tested—before a successful cyberattack. You don’t want to waste valuable time figuring out who you should contact or what to say.
Some proactive steps you should take include:
- Consider specific scenarios; what will you and your staff do after the attack? For example, what protocol should you and your staff follow if you suspect a phishing email?
- Understand your compliance/regulatory department protocols.
- Identify when and how you should contact which law enforcement agency for assistance.
- Document how a potentially compromised computer or network will be handled to preserve data that would enable a law enforcement or technological investigation.
- Designate who is responsible for communicating with clients and be sure to have a message written ahead of time.
- Create a business continuity plan.
- Use your broker-dealer’s secure cloud storage for all sensitive client documents. Store additional backup data offsite.
- Maintain client investment or bank account information only on the brokerage clearing company’s secure data storage; it should not be stored on your CRM.
- Office maintenance documents should be password-encrypted.
- Verify all stored client bank information with the client before processing a wire or EFT.
- Reverify any client bank information that was not sent via secure encryption.
- Research cyberinsurance policies and what liabilities each policy will exactly cover.
- Make sure all internet communications are traveling through the most current encrypted algorithm lines. (This is different from encrypting documents that travel attached to the email.)
The financial sector will continue to be a high-value target for cybercriminals. In a January 2017 Forbes article, Michael Chertoff, secretary of Homeland Security under President George W. Bush, described finance as a target-rich section of the nation’s critical infrastructure. Protecting it from cyberattacks, he said, “must be prioritized as a matter of national and economic security.”
During the fall 2016 campaign, then-candidate Donald Trump declared, as president, cybersecurity would be an immediate and top priority for his administration. In January he appointed Thomas Bossert assistant to the president for homeland security and counterterrorism. The newly created position will focus heavily on cybersecurity. Bossert’s appointment seems in line with Trump’s aversion to regulation and governmental enforcement efforts. Bossert recently said the administration should draft a cyber doctrine that takes into account free market and private competition, and a limited role of government in establishing and enforcing regulations and the rule of law.
To put it mildly, other issues, both domestic and international, are currently competing for presidential attention. But the focus on cybersecurity will most likely remain at the top of the administration’s list of priorities, as national security will depend on it. Certainly, it remains a priority for regulatory agencies like SEC and FINRA. No matter what the future holds, financial professionals should take time to review their company’s cybersecurity, adopt a framework for creating a plan tailored to its needs and consult with their broker-dealer on complying with regulatory standards.
“It’s us versus them,” Siebert said. Preemptive strikes may not be feasible in this war, but proactive continuity plans are. “This is our best defense. As financial professionals, we play a valuable part in protecting our clients, our firms, ourselves, even the nation.”
President Donald Trump signed a cybersecurity executive order on Thursday, May 11, 2017. The order focused on three areas of cybersecurity: modernizing the federal IT system, with all 190 federal agencies moving to one centralized IT network and abiding by the NIST Framework; developing a set of policies to protect U.S. consumers on the internet; and having the secretary of Homeland Security report to the president on the vulnerability of the country’s critical infrastructure, which includes the financial sector.