Conducting business in the digital age makes nearly all day-to-day tasks more efficient, cost-effective, and accessible compared to only a few years ago. Clients can complete and sign necessary documents, meet with their advisor, and check live reports on their portfolio from the comfort of their own homes.
Indeed, the convenience of the digital, online age has opened the world of business up to more people and more opportunities than ever before—but it has also left registered investment adviser ("RIA") firms more vulnerable than ever before. The rapid pace of evolution in technology often results in weak points that hackers can exploit to gain access to sensitive client and corporate information.
RIA firms of all sizes face unique cybersecurity risks related to their employees, clients, technology, and third-party vendors. If a firm dropped its guard in any of these areas, the result could be a massive data breach. The danger of a cyber-attack extends beyond exposing sensitive client information—it could bring reputational damage that your firm may never recover from. In addition, in the event of an audit, the Securities and Exchange Commission ("SEC") or state regulators may not take any cybersecurity vulnerabilities lightly. Investment adviser regulators have flagged cybersecurity as an exam priority for a number of years.
Today, we examine the unique cybersecurity issues RIA firms face in three specific areas:
1.) People Risks
One of the most common strategies hackers use to gain access to the systems of RIA firms and other organizations in the financial sector is through phishing campaigns.
In short, a phishing campaign occurs when an email is sent with the intent to trick a firm’s employee(s) into performing some type of action that will allow malware to be installed on the firm’s network. The email often looks harmless and seems to come from someone the employee may know. The address may also look very similar to those used by the firm. For instance, if the firm’s email addresses ended in @sampleria.com, the bad actor may send an email from @sample.ria.mail.com.
As for the email itself, it may say something like, “Hey, have you seen this?” followed by a link. The subject line typically includes the word “Urgent” or “Important.” It sounds too simple to work, right? According to the Federal Bureau of Investigation ("FBI"), phishing was the most common hacker strategy in 2020, and 74% of companies experienced a successful phishing attack. This was due in large part to the shift in remote work caused by the pandemic. In fact, there were eleven times as many phishing attacks in 2020 as there were in 2016.
A common result for RIA firms that fell victim to successful phishing attempts was some form of ransomware. Ransomware technology is designed by hackers to either prevent a firm’s technology from working, hold their data hostage, or even threaten to sell their data, until the firm pays the hackers a certain amount of money.
All it takes is one innocent click to give the hackers the access they need. As a result, your best defense against phishing is educating your people. As they learn to be more wary, your vulnerability in this area will decrease. In addition to educating your team, it is important that you educate your clients on how you will contact them and the information you will request.
You may have seen those notices from the Internal Revenue Service ("IRS") or another institution that say something along the lines of, “We will never request your personal information over the phone.” They do that to protect their clients from people who are impersonating them. Take the same approach with your clients, letting them know exactly how you will get personal information when you need it, and highlighting the ways you will contact them.
2.) Technology Risks
While the people-related risks can be mitigated through education, technology risks can often be reduced by leveraging all the security features offered by your current technology providers.
In May 2019, the SEC released a risk alert highlighting the fact that RIAs were not properly protecting their storage solutions—one of the most sensitive areas to let your guard down. In many cases, the solution was as simple as properly configuring the security settings of the storage solutions.
They highlighted three specific areas that advisors often overlooked:
- Misconfigured network storage solutions: Misconfigured settings are often boiled down to a lack of effective oversight when a storage solution is initially implemented. We recommend that RIA firms which lack the internal resources and expertise to properly install on-premises network storage solutions to utilize a third party resource to assist with the initial installation and ongoing monitoring and maintenance.
- Inadequate oversight of vendor-provided network storage solutions: Many modern cloud-based storage solutions offer a plethora of cutting-edge security features. However, firms need to ensure that these features are properly implemented. When available, RIA firms should be sure to utilize security features such as encryption and two-factor authentication to better protect sensitive data.
- Insufficient data classification policies and procedures: To properly protect sensitive data stored electronically, advisory firms first need to take a step back and properly identify the different types of data stored and the "appropriate controls for each type of data."
Take the time to review your security settings on all storage solutions to ensure you are leveraging the protection you’re already paying for.
3.) Third-Party Vendor Risks
Often, people use the same username and password across multiple systems to make it easier for them to remember. Unfortunately, that kind of convenience can come at a very high price thanks to a common hacker approach called “credential stuffing.”
Credential stuffing is when a hacker uses a spreadsheet full of login information they procured in a previous attack to try to gain access to other systems. They will make countless attempts to gain access using every password they have.
So, what does this have to do with third-party vendors? According to the SEC:
Firm’s internet-facing websites (including systems hosted by third-party vendors) are the most vulnerable because if compromised, attackers can initiate transactions and/or gain access to non-public information.
Login sites such as your client portal unfortunately create highly valuable entry points for hackers.
The SEC also highlighted that third-party vendors are an increased point of risk for advisors and investors as often times sensitive information is stored on a third party vendor's systems. Furthermore, with the shift to remote work came an increase in communication via non-official channels such as texting and sending documents via Zoom chats.
With all the convenience of the cyber age, it is crucial that advisors still slow down and consider their security at every point—for your clients’ sake, and for your own.