Financial advisory firms will have read about the cybersecurity threats facing their industry, but being aware of the risks is only half the battle. The other half involves preparing for them. How can investment firms protect themselves when the cybercriminals come calling?
Larger companies will have their own security experts, says Christopher Budd, global threat communications manager with Trend Micro Inc., a security software company headquartered in Irving, Texas. For smaller advisory firms with no internal IT team, the onus is on them to come up with a security plan. Luckily, there are some steps they can take which will go a long way towards protecting them.
Develop best practices
"For a small financial advisor with no IT department, be on platforms and applications that are fully up to date and supported," Budd says. "Don't be running Windows XP."
This ties in with guidance from the Investment Industry Regulatory Organization of Canada (IIROC) on cybersecurity. "Our Cybersecurity Best Practices Guide refers to the top four cybersecurity strategies that will mitigate at least 85% of targeted cyber intrusions," says Wendy Rudd, senior vice president for member regulation and strategic initiatives at IIROC.
IIROC took these four tips from the Australian Signals Directorate (ASD). They include:
- patching operating systems with regular software updates;
- patching software applications with regular updates, which can fix security vulnerabilities;
- application whitelisting, which restricts the software that can run on a company's computers so that only those from an approved list will operate;
- limiting administrative privileges by allowing only trusted personnel to configure and manage their computers.
Susan Copland, managing director at the Investment Industry Association of Canada, has some other pointers, including creating strong passwords for all devices and updating them regularly. ‘Strong' in this context means words that aren't found in the dictionary, and which include numbers, capital letters, and symbols.
Other measures include ensuring that antivirus software on devices is up-to-date and signing out of programs when they're not in use. A little scepticism goes a long way too, Copland points out; avoiding suspicious emails and attachments can prevent problems arising in the first place. Dealers should also follow the training and protocols put in place by their firms to protect confidential information, she adds.
A bigger plan
Such operational pointers are useful, but should be part of a broader cybersecurity governance policy. The IIROC best practices document points to the cybersecurity governance framework used by the U.S. National Institute of Science and Technology (NIST). This framework recommends several steps to effective cybersecurity governance, including identifying vulnerabilities in the organization and the threats that could exploit them, and assessing the largest risks so that you can prioritize them.
Companies must then create an ideal risk profile, showing where they would like their cybersecurity capabilities to be, and identify the areas they must improve on to get there. This will give them an action plan, the IIROC document says.
Finally, companies must have an incident response plan – a playbook to turn to if their systems are compromised. When an attack occurs, a range of tasks must quickly be dealt with, ranging from the technical (the attack must be contained and then eliminated) through the forensic (evidence must be gathered), to customer relations and legal preparations. Identifying and training the people responsible for these tasks before disaster strikes will save valuable time.
No sure thing
There is no such thing as 100% cybersecurity, according to Copland. Instead, she prefers to call it "cyber resilience". For advisors, it's a case of mitigating risk to an acceptable level.
It is especially important for financial advisors to understand the ramifications should they not employ measures like these, warns Marcus Troiano, senior cybersecurity consultant at Milpitas, Calif.-based cybersecurity company FireEye, Inc.
"Financial advisors, like all Canadian businesses, should also be aware of the upcoming mandatory breach notification that was introduced last year when parliament amended the Personal Information Protection and Electronic Documents Act (PIPEDA)," he says.
Once the regulations are finalized, Section 10.1 of this law will require organizations to notify both affected individuals and the federal privacy commissioner of any breaches that create a real risk of significant harm.
Regardless of the measures in place, it is entirely possible that attackers will get through an advisor's defenses. What then? Cyber-risk insurance is a possibility. Insurers can provide multiple insurance agreements to cover the various implications of a hack, including liability to customers and internal expenses, fraudulent transfer of funds, and business interruption.
Ideally, it will never come to this, but cybersecurity is all about risk. Mitigating the risks at all possible stages – from prevention through compromise to post-attack cleanup and financial impact – will help to protect advisors and minimize losses.