Financial advisors need to put cybersecurity plans to the test

Just in the past month, Scott Van Den Berg, president of Century Management Financial Advisors, has added cybersecurity to the firm’s insurance coverage.

Now, in the event there is some kind of breach, the insurance company will help send a team to the office, have bitcoin accounts at the ready in the event of ransomware attacks and help to notify clients according of the event in accordance with regulatory requirements.

It’s all part of multiple protections the Austin, Texas-based firm has put in place in the last four years to ramp up its cybersecurity protections.

Century also has training software to let help all of the firm’s 24 employees identify phishing, ransomware or other risks that could pop up on websites on in their emails.

That’s after the firm already uses technology to help block those risks out. Century recently ranked as No. 4 on CNBC’s FA 100 list of leading financial advisory firms.

“I’m really at peace of mind with the system we have in place,” Van Den Berg said. “We’ve taken it seriously, and I think it deserves that attention.”

Regulators have put all financial advisory firms on notice about these risks.

The SEC has released cybersecurity guidance for the registered investment advisers it oversees. The Financial Industry Regulatory Authority, which regulates broker-dealers, has also issued its own guidance that includes information for small firms with 150 or less registered representatives.

The message: No firm is too small to have cybersecurity protections in place.

“The financial services industry is essential to the economy … We have to be right all the time,” said Tom Price, managing director of technology, operations and business continuity at trade association the Securities Industry and Financial Markets Association. “The bad guys only have to be right once.”

SIFMA has worked with financial firms and government regulators to create cybersecurity simulations that mimic real attacks. This month, the trade organization ran its biannual test, called Quantum Dawn.

It was the first time the simulation was conducted internationally to evaluate what would happen if a malware or ransomware attack knocked major financial institutions offline. The exercise included more than 180 financial institutions and government agencies from more than 12 countries.

The tests are aimed at getting firms to see how well they answer key questions on the fly: How well do they respond to these types of events? Who are the key contacts to talk to in such an event? How is key information escalated within a firm, to the government and law enforcement?

“This is something that the industry needs to prepare for, as we would any other possible crisis,” Price said.

For the average financial advisor and their firm, even what may seem like a small oversight can turn into a big snafu, according to Brian Edelman, CEO of FCI, a cybersecurity company.

“Nothing is scarier than when the FBI shows up at your office,” Edelman said. “If you’re prepared for the regulators or the authorities, it’s the best thing that can happen.

“If you’re not, it’s the worst,” he said.

But if advisors and their firms have a plan in place ahead of time, they will know to take the proper steps when an incident occurs. If a laptop is lost, for example, the firm should already have a way to document that incident and have a system installed so that the machine locks itself, Edelman said.

More from FA 100:
These are the challenges keeping top advisors up at night
Financial advisors need to change to succeed in the next decade
Technology is redefining that client-financial advisor relationship

When it comes to cybersecurity, a lot of the emphasis is still on fundamental efforts: having a corporate firewall, anti-virus protection and a secure computer, he said.

“It doesn’t cost you money to have a password on your computer,” Edelman said. “It doesn’t cost you money to have a PIN on your device or to have your device use biometrics … You have to make sure you’re doing these things.”

Firms also need to have a centralized system in place. That means, for example, having a single button for disabling employees’ access to the systems when they leave a firm.

It all comes back to asking big questions about your business, according to Edelman: How do we protect it, and how do we prove it to regulators and authorities?

Conducting regular tests can help advisory firms identify areas where their plans are weak.

Firms like Eagle Global Advisors, No. 84 on the FA 100 list, are already working to make sure they are up to the test.

In the past four years, cybersecurity has taken a larger role in the Houston firm’s compliance program, according to Steven Russo, a senior partner at the firm.

Now, the firm’s 34 employees have been trained on how to spot risks on top of systems the firm has implemented to test for incidents like phishing. Eagle also has insurance protection in place in case there ever is an incident. The firm’s compliance manual also has a detailed cybersecurity policy.

“In the last four years, you’ve really been able to come up with a policy that is good to protect the organization, but also meets the standards that the SEC is putting out there,” Russo said. “And then you just continually improve it, test it as you go on.”