3 Data Breaches That Impacted Financial Advisory Firms

Author: Craig Pollack Date: Apr 05, 2018 Topics: _Investment Advisor Blogs

One of the most frequent concerns with prospective and current clients is the concern about the rise of data breaches affecting financial advisory firms and other financial industry businesses. Financial advisory firms are a prime target for many hackers for a very obvious reason: they house a wealth of invaluable personal and financial data. Attackers simply go where the money is.

An additional reason for this specific targeting is that not all financial firms are up-to-date on the best cybersecurity practices, leaving them vulnerable to attack. Although no business, regardless of size, is 100% impervious to cyber attacks, there is something that businesses can do to at least ramp up their efforts to help slow attacks so their IT staff or their managed IT service provider has time to respond: They can invest in building out and developing their IT security infrastructure and technology with the help of managed IT security services.

Managed security services can help your company prevent cybersecurity events, detect and prevent intrusions and hacks, and also recover quickly should an attack take place. At FPA, these types of services include:

  • Managed Intrusion Detection & Intrusion Prevention Services (IDS/IPS);
  • Managed Malware;
  • Managed Firewall;
  • Managed Authentication;
  • Managed User Security Awareness Training;
  • Managed Dark Web ID Monitoring;
  • Managed Security Information & Event Management (SIEM);
  • Managed Encryption; and
  • Managed Security Assessment.

According to Symantec’s Internet Security Threat Report (ISTR) Financial Threats Review 2017:

“Financial institutions have increased security measures in their interactions with customers and also on their own infrastructure and backend systems. However, the cyber criminals have adapted their attacks and are mimicking customer behavior as closely as possible and attacking the institutions themselves.”

But, how do these attacks occur? Some of the most frequent methods of cyber attacks that focus on financial advisory firms include:

  • Social Engineering: This method of “phishing” will involve sending or planting malicious content for users to click on, download, and run on their device via a seemingly innocent email or advertisement. By and large, phishing is viewed as the biggest cybersecurity threat to financial advisors and their clients.
  • Internal Threats: Some of the most impactful threats to your firm’s security originate within the organization itself. These can be made through simple human error and lack of cybersecurity knowledge, or it could be an intentional crime, such as theft, cybervandalism, and insider trading.
  • Malevolent Actors: Hackers who don’t want to attack through the other mentioned channels often will take a more direct approach.

I’d like to take a few moments to cover some of the most impactful data breaches that have affected the financial advisory industry within the past few years.

1. Equifax

Last year, the financial information of 145 million Americans was reportedly exposed during a data breach of Equifax in September 2017. Recently, that number grew to 147.9 million when Equifax reported that another 2.4 million previously undisclosed Americans were impacted by the massive breach (although this “only” exposed their names and partial drivers license info).

2. Internal Revenue Service

It’s bad enough that the Internal Revenue Service (IRS) was hacked in 2015, resulting in the info of potentially 724,000 taxpayers being stolen. However, what makes it worse is that the government organization was actually hacked again the following year, when the Social Security numbers of at least 464,000 U.S. taxpayers were exposed.

3. U.S. Securities and Exchange Commission

In fall 2017, the U.S. Securities and Exchange Commission (SEC) faced embarrassment by having to admit that it, the agency that issues guidelines for how businesses should disclose data breaches, fell victim to a data breach. As it turns out, the SEC’s EDGAR (Electronic Data Gathering, Analysis and Retrieval) network was hacked, providing the thieves with access to “nonpublic information” that may have enabled them to engage in illegal profits through trading.

Now in 2018, the SEC recently rolled out new guidance about reporting data breaches. While the guidelines are slightly more straight-laced than its predecessor, it still leaves much to be desired in terms of holding businesses accountable for failing to disclose cybersecurity risks and data breaches.

Unfortunately, the SEC’s new guidelines don’t hold a candle to data privacy regulation included in the European Union (EU) General Data Protection Regulation (GDPR) that will roll out on May 25. The EU GDPR is designed to protect and empower citizens in ways never before seen.

It is important for financial advisory firms or any businesses in the financial sector to build their defenses with data privacy and cybersecurity in mind. Contact FPA today to see how our managed IT security services can help your financial advisory firm prepare for a future cyber attack.

How have these major breaches affected your organization’s approach to cybersecurity? What has worked for you or what would you want to do differently in the future? Be sure to share your thoughts in the comments section below or send me an email to discuss this topic more in-depth.

The IT Security Primer For RIAs eBook


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 30 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best leverage and secure their technology to achieve their business objectives.