Financial advisors and their firms need to ensure their cybersecurity practices are up to snuff after recent private and public sector data breaches have thrown the risks into sharp focus.
New York-based asset-management giant BlackRock Inc. accidentally exposed the names and addresses of about 20,000 advisors in spreadsheets posted online on its website in December. That same month, the Oklahoma Department of Securities exposed information on 100,000 securities brokers on a public-facing internet server containing three terabytes of data.
Breaches such as these may be the tip of the iceberg. In October of 2017, the Canadian Securities Administrators (CSA) surveyed more than 1,000 registered investment fund managers, portfolio managers and exempt-market dealers on their cybersecurity and social media practices. The CSA found that 51 per cent of survey participants had already experienced a cybersecurity incident in 2016.
In the United States, the Securities and Exchange Commission (SEC) has moved aggressively against investment companies that suffered cybersecurity incidents. Penalties range from the small to the large. The SEC levied a US$75,000 penalty against St. Louis-based broker-dealer R.T. Jones Capital Equities Inc. in 2015 after hackers stole 100,000 individuals’ details from its webserver, and the regulator fined Morgan Stanley US$1-million in 2016 after hackers stole client information.
Regulators in Canada also are addressing the issue – albeit at a slower pace. Cybersecurity has been on the radar here for the past five years, says Max Munoz, a lawyer at Gowling WLG in Toronto, but he adds that regulators and industry bodies are still in the information-gathering stage. “We’re always behind the United States a step when it comes to regulators.”
Canadian investment companies that don’t adequately protect client information still face consequences. Since Nov. 1, companies must now disclose data breaches under Canada’s Personal Information Protection and Electronic Documents Act. The government could fine companies up to $100,000 for each individual affected.
Hacks or accidental publication of details online are two risks among many. One of the biggest emerging threats to advisors is business e-mail compromise. “I have seen it hit investment advisors quite a bit,” says Thomas Davies, financial services cybersecurity leader at EY Canada.
In this scenario, attackers either gain access to a client’s e-mail account or use an alternative e-mail address that looks like the client’s at first glance. The hackers then e-mail the advisor with an urgent request to send money to a fraudulent account.
In some cases, attackers can mount a successful attack with little more than a convincing phone call. In 2015, crooks called the chief financial officer at London-based hedge fund Fortelus Capital Management LLP in Britain pretending to be security personnel from its bank, Coutts. They persuaded him to hand over security codes and used them to steal £740,000 ($1.25-million) from the company’s account.
Another threat facing advisors and their clients is the theft of mobile data taken outside the office on a laptop or removable drive.
“That laptop is a massive risk to your business and your reputation,” warns Mark Nunnikhoven, vice-president of cloud research at Trend Micro Inc. in Ottawa. “Make sure that you have strong security software on your laptop, but also that you have a strong pass phrase and that that laptop is encrypted.”
Protection against risks such as these begins with proper security policies, says John Reed Stark, former head of the SEC’s Office of Internet Enforcement and now a cybersecurity consultant.
“It doesn’t cost that much to have good cybersecurity governance,” Mr. Stark says.
Many investment firms still lack these controls. Only 57 per cent of firms surveyed have procedures to deal with cybersecurity incidents and only 56 per cent had cybersecurity training policies, the CSA’s survey found.
Firms should implement policies for advisors that cover activities ranging from password changes through to what data can be taken out of the office, along with technology protection for devices, says Mr. Stark. They should address employee training, control over who accesses company systems and how they log in, and incident response plans to follow in the case of a breach.
Both government and self-regulatory organizations provide advice on cybersecurity policy frameworks. The CSA has called for policies governing the type of information that can be sent via e-mail, along with the verification of client instructions. The Investment Industry Regulatory Organization of Canada, which has asked the CSA to consider mandatory data breach reporting for advisors, has a cybersecurity best practice guide for member dealers that covers procedures from backup and recovery through to user account management and access control.
The Mutual Fund Dealers Association (MFDA) issued general cybersecurity guidelines in its 2016 0690-C Bulletin, following up with a bulletin in 2018 focused on electronic communications that advised against the use of e-mail for trade instructions. The MFDA also sent a mandatory self-assessment questionnaire to member dealers in 2017.
Risk assessments should be a regular occurrence, warns Mr Stark: “Have a good risk and security assessment done every year. Maybe even more often than that.”