Article and interview with Brian Edelman, Financial Computer CEO. Link to the article: Investor's Business Daily.
To prevent data breaches, financial advisors are racing to improve their information security. The big question is how.
Addressing cybersecurity threats involves three steps: identifying risks, taking steps to reduce those risks and auditing your business operations to ensure you’re complying with regulatory requirements. With advisors handling so much sensitive information — and the danger of hacks increasing — the issue is becoming more important than ever.
“You can practically eliminate the financial impact of a loss by following certain guidelines,” said Brian Edelman, chief executive of Financial Computer, a Bloomfield, N.J.-based firm that helps advisory firms and other clients keep their technology secure. He adds that many of the steps that he urges advisors to take are relatively simple and low-cost.
Securing client data and planning for surviving cyberattacks are top areas of technology in which successful financial advisors pay close attention.
To assess risks, review all the data that your firm collects. Follow the flow of incoming and outgoing information to pinpoint all access points and storage mechanisms. For example, analyze to what extent you store data in your office vs. in cloud-based systems.
Reducing risks starts with encrypting data and enacting layers of security safeguards to control the movement of what experts refer to as “personally identifiable information.” Advisors should draft a written information-security policy that governs how they manage such data.
The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE), along with information security consulting firms such as TBG Security, provides guidance on developing a written policy. Key issues include risk assessments, incident response and vendor management.
“There’s no grading on a written information-security policy,” Edelman said. “It just has to be in writing, not in your head.”
Vet Your Vendor
As advisory firms increasingly enlist vendors to support various aspects of their business, cybersecurity takes on an added dimension. That’s because if a vendor experiences a data breach, regulators may hold the advisor accountable.
“It’s not just who you are, but who you do business with,” said Alex Kasdan, senior managing director at DelMorgan & Co., an investment banking firm based in Santa Monica, Calif. Kasdan recently moderated a webcast on mitigating cybersecurity risks.
Before hiring vendors, do due diligence. Confirm that they have a written policy that describes their data security protocols and ask whether they have insurance that covers cybersecurity breaches — a product that advisors can buy as well from insurance agents specializing in data security.
“Also ask a vendor if your data would be hosted in the United States,” Edelman said. “If the answer is no, you could be putting your client data at risk.”
Once you hire a vendor, stay attuned to developments on the cybersecurity front. Every year, ask vendors if they have sustained any data breaches and inquire about proactive measures they’ve taken to strengthen their defenses.
Periodic visits to vendors’ offices can help you evaluate their rigor in managing and protecting your data. If they let their employees access your data remotely, check whether staffers use their own devices as opposed to company-owned computers. And note what steps they’ve taken to stop unauthorized access to storage systems and confidential data.
When, Not If
When advisors weigh cybersecurity threats, they may focus on prevention. But preparing a seamless response to a severe hack poses an equally important challenge.
A business continuity plan kicks in after such an emergency. In June, the SEC issued a proposed rule to require registered investment advisors to adopt written business continuity and transition plans. They are designed to preserve the continuity of a firm’s services not just after a cyberattack, but also after a natural disaster or the sudden death of key personnel.
To test your plan, stage what Edelman calls “a fire-drill exercise.” Lock yourself out of your office. Or imagine a fire destroyed your workplace.
“Faced with that kind of disruption, stress-test your plan so that you and your employees know what to do,” Edelman said. “It’s not difficult or expensive to have a business continuity and incident response plan in place. The smaller the firm, the lower the cost.”
Elements of the plan include identifying where you and your staffers would work if your office becomes unusable, how you would access data remotely and securely (would you remember all the passwords?), and how you would obtain digital backups of your files.
Even if you adopt sophisticated measures to assess and address various risks, you still need to educate your employees. Train them not to use an unprotected public internet connection to do work. And insist that they call clients to confirm an action such as a change-of-address request, rather than rely solely on email.
“It’s not a question of whether you will have a breach,” Kasdan said. “It’s when.”