The financial services sector is not immune to cybersecurity breaches, but the financial advisors surveyed for Investment Executive‘s 2018 Report Card series are confident their firms are taking the right steps to keep advisors’ data – and those of their clients – secure.
“They do a good job and make sure we meet certain requirements to keep our data safe,” says an advisor in British Columbia with Oakville, Ont.-based Manulife Securities.
To get a sense of how well the sector is doing in keeping a handle on cyberthreats, a supplementary question added to this year’s surveys asked advisors across all four distribution channels – brokerages, mutual fund dealers, banks and insurance agencies – whether their firm’s cybersecurity efforts were adequate to ensure their data and those of their clients are protected.
In response, 97.8% of advisors who answered the question said “yes.” These advisors are confident about their firms’ cybersecurity efforts for the following reasons: financial investments in cybersecurity; strong information technology (IT) teams; and the implementation of password- protected devices and encrypted emails.
“Just getting into our computers is a song and dance in the morning,” says an advisor in Ontario with Mississauga, Ont.-based Edward Jones.
“All our emails are encrypted internally,” says an advisor in Alberta with Toronto-based Assante Wealth Management (Canada) Ltd. “If I don’t want to send something to somebody through email, I can post it on the web [securely] and give the [recipient] a password.”
In some cases, though, advisors’ confidence in their firm’s cybersecurity efforts stem from blind faith that the firm is doing a good job in this area simply because advisors haven’t heard of anything bad happening.
“We have a dedicated team [focused on avoiding breaches],” says an advisor in British Columbia with Vancouver-based Canaccord Genuity Wealth Management (Canada). “Other than that, I don’t know. We’ve never been hacked.”
“I trust our IT team is doing a good job,” says an advisor on the Prairies with Toronto-based Richardson GMP Ltd. “It’s kind of like trusting your doctor with your health. I’d like to think they’re doing a good job. We haven’t gotten any complaints yet.”
Ali Ghorbani, director of the Canadian Institute for Cybersecurity (CIC) – a centre for cybertechnology research at the University of New Brunswick in Fredericton – says Canadian financial services institutions are well aware of the enormity of cybersecurity and have made significant investments in it. However, he cautions advisors against being complacent about their firm’s cybersecurity efforts.
“[Cybersecurity is] basically risk management; nothing is foolproof,” says Ghorbani, who also holds the position of Canada Research Chair in Cybersecurity.
Indeed, two of Canada’s banks – Toronto-based Bank of Montreal and Simplii Financial, a division of Toronto-based Canadian Imperial Bank of Commerce – made headlines this year for experiencing cybersecurity breaches.
One of the ways financial services firms are trying to avoid breaches is through investments in research and partnerships. Toronto-based Toronto-Dominion Bank (TD), for example, joined the CIC in April 2018 and opened a cybersecurity office in Tel Aviv in 2017.
“I believe we are as strong in [cybersecurity] as any other bank,” says an advisor in Ontario with Toronto-based TD Wealth Financial Planning, a division of TD. “We recently purchased a firm in Israel. We take it seriously.”
Israel is well known for its cybersecurity prowess and has drawn much attention from Canadian financial services institutions, particularly the banks. For example, Toronto-based Bank of Nova Scotia began working with an Israeli fintech venture fund and cybersecurity thinktank in December 2017. As well, Toronto-based Royal Bank of Canada (RBC) recently invested $2 million in the Ben-Gurion University’s Cyber Security Research Center.
“We’re trying to focus some of those strategic academic partnerships to help us drive our security agenda and strategy,” says Adam Evans, vice president, cyberoperations, and chief information security officer with RBC, “and help us mature our capabilities for what we believe the challenges are coming down the road at us over [the next] three years or even five years.”
RBC also trains its employees so they are aware of the potential dangers to their digital information. For example, Evans speaks with employees about common tactics or breaches that have gained media attention. The bank also holds training sessions about new tools and techniques, such as compromised emails used by would-be hackers to access the bank’s systems.
“[The firm] is very proactive with the phishing emails,” says an advisor in Ontario with Mississauga, Ont.-based RBC Life Insurance Co. “They test us all time.”
Education is one of the most important aspects of having a solid cybersecurity strategy and is something that needs to be embraced by an entire firm, according to the Investment Industry Regulatory Organization of Canada (IIROC) .
“It’s not just an IT issue,” says Louis Piergeti, vice president, financial and operations compliance, with IIROC. “It’s a shared responsibility of employees who work within the firm.”
To that end, IIROC recently held tabletop exercises with senior staff at small and mid-size firms to help them strengthen their cybersecurity efforts and to ensure they have proper frameworks in place.