For smaller advisory companies lacking sufficient in-house cybersecurity expertise, the best option might be to outsource security, says one expert.scyther5/Getty Images/iStockphoto
Sign up for the new Globe Advisor weekly newsletter for professional financial advisors on our newsletter sign-up page. Get exclusive investment industry news and insights, the week’s top headlines, and what you and your clients need to know.
Financial advisory firms are under more pressure than ever to ensure their operations are protected from cyberattacks and prepared for the worst as cybersecurity risks rise.
Recent data on financial institutions’ preparedness for hacking attacks doesn’t look good. A survey from encrypted cloud service provider NordLocker of 300 U.S. financial services professionals found that almost one-third (31 per cent) hadn’t done cybersecurity training arranged by their employer – even though almost 90 per cent handled confidential data at work.
Sending financial professionals to work without appropriate training is increasingly risky as the cybersecurity stakes rise.
Tensions in Ukraine have rippled into cyberspace, and recent cyberattacks on the Ukrainian government might not stop there, according to government officials. The Canadian Centre for Cyber Security warned in January of potential Russia-backed attacks on Canadian companies as tensions in the region escalate, and issued another warning last week of new malware targeting Ukrainian organizations.
Adam Evans, vice president cyber operations and chief information security officer at Royal Bank of Canada in Pickering, Ont., says it’s easier than ever for criminals to target financial institutions online.
“Introduction of highly specialized skills into the cybercrime economy continues to drive innovation and the scalability of attack platforms and services,” he says. “The impact of this commoditization of crime can be seen in the increased frequency and scale of cyberattacks globally.”
Financial regulators have responded to the growing threat on both sides of the border.
The U.S. Securities and Exchange Commission increased its enforcement actions against violators of its cybersecurity rules last year. In February, it proposed new rules that would require registered advisors to disclose their cybersecurity risks and report incidents within 48 hours.
In Canada, the Investment Industry Regulatory Organization of Canada issued mandatory reporting requirements for cybersecurity incidents in 2018 and followed up with reporting guidance in February as well.
“There’s a lot more that financial institutions can do as a whole to train their staff and make this an organizational issue,” says Ryan Duquette, partner and head of the cybersecurity practice at accounting and consultancy firm RSM Canada LLP in Toronto.
Defending against an attack
Tackling the cybersecurity threat is a long-term journey for advisors and investment companies rather than a quick fix, he adds. He recently finished the first phase of a cybersecurity project with a financial institution, which involved finding the gaps in its defences. That included examining existing policies and procedures and using penetration testers – ethical hackers – to look for weaknesses in its systems.
The second stage of the project will involve plugging those weak spots. That means putting in multiple layers of protection – a little like the layers in bulletproof glass – that will work in concert to stop an attack.
These protections begin with the security awareness training that so many financial services professionals appear to lack, Mr. Duquette says. Teaching employees basic skills to spot suspicious e-mails or phone calls hardens them against attack. An effective program includes awareness-raising sessions, ongoing anti-phishing tests for employees, and tabletop exercises to simulate attacks.
But even with the best intentions, some attacks will slip through. That’s where the technology layer comes into play.
“Financial institutions must also put endpoint detection and response tools in place,” Mr. Duquette says.
These software tools watch for suspicious software behaviour on a PC or mobile device that could indicate a malware infection. They report the problem to administrators and can even quarantine an infected computer from the rest of the network to stop the infection from spreading.
Outsourcing security for coverage
The administrators who monitor and manage these protection systems often work in a security operations centre. This central control room for cybersecurity operations watches for cyberattacks, but it’s expensive to staff and run. Mr. Duquette says that some banks have considered sharing them.
“Joint security operation centres is a concept that a lot of the major banks in Canada have been into implementing,” he says, adding that mid-tier banks have also been discussing it. “This allows core security operation teams at the banks to share resources and combat financial and cybercrime.”
For smaller advisory companies lacking sufficient in-house expertise, the best option might be to outsource security, says Eric Matthews, chief technology officer at security consulting firm Parabellyx Cybersecurity in Vaughan, Ont.
“I strongly recommend that a very small business goes to cloud services where they can exploit the expertise of Microsoft Corp., Google LLC, or other organizations,” he says.
Cloud service providers like Microsoft already have strong cybersecurity protection, and cyberattacks on a local network are less likely to affect data in the cloud, he says.
Planning for the worst
Preventing and detecting attacks is a vital step, but financial institutions should still prepare themselves for successful hackers that slip through their layered defences, warns Alexander Poizner, Parabellyx Cybersecurity’s chief executive officer.
“What’s your plan in case something bad happens? How are you going to respond?” he asks. At the very least, advisors should have a backup and recovery plan for company data.
The plan should go even further, he says. “What is your recovery plan on the business level, not just technology level?”
Advisory firms need a way to keep operating in some capacity while coping with an attack, ensuring that they can still serve customers effectively.
For many, that will mean bringing in external help to harden their security. Better now than after hackers come calling.
For more from Globe Advisor, visit our homepage.