Security threats are a primary concern for the financial services industry. The Securities and Exchange Commission (SEC) recently discussed the increasing number of attacks targeting RIAs and broker-dealers.
FINRA is now auditing more firms to determine their ability to protect themselves from security threats. There is a universal mission to make the web a safer place for investment advisors and their clients.
The Enemy Within
In its February 2015 cyber-security report, the SEC found that 4% of RIAs and 11% of broker-dealers experienced internal hacking. In other words, they were compromised by both intentional and accidental malicious employee conduct.
To prevent breaches from inside, experts recommend that RIAs do the following:
- Discuss security threats with employees
- Carefully monitor employee activity on the Internet
- Implement firm policies to deter potential data theft
In early 2015, Morgan Stanley revealed that one of its advisors allegedly stole information from 350,000 clients. The broker in question, who was fired, denied selling the data, but it appeared on a file sharing site. Even if a third party had gained access to his computer to sell the information, the result was still the same.
As a result, many security solutions intended for registered investment advisers and brokers are upgrading their product to include internal hack prevention measures. Every time an RIA logs onto the system, their IP address, location, device type, and time of access are recorded. Any suspicious login attempts are investigated immediately. At larger companies, compliance or information officers can monitor the Internet activity of each employee.
Sometimes the weak link in the chain of cyber-security is the client. “Phishing” attacks, in which cyber-criminals present themselves as trustworthy parties to steal usernames, passwords, and financial data, are growing in both sophistication and frequency.
Some hackers will go so far as to collect personal client details on social media so that they can craft a believable email. This approach, known as “spear phishing”, has an alarmingly high success rate. Once the criminal has control of the client’s email account, they will communicate with the advisor and even make successful requests to transfer money.
To deal with this growing threat, RIAs should require email encryption software or even instruct clients to log into an online portal to view communications and other information. The risk of a successful spear phishing expedition can be further reduced if the advisor explicitly states to clients that they will never request personal information in emails.
When hackers target larger companies, password theft is one of their key objectives. As a result, more and more Los Angeles RIAs are opting for two-factor authentication. This requires the advisor to enter a password and supply a secondary verification, such as a code texted to their mobile phone. It is proving to be an effective way of deterring attackers who have stolen passwords.
RIAs and company compliance officers are responding to security threats by assessing the effectiveness of their current cyber-security programs and implementing necessary protocols. They are also adopting stricter policies and procedures to protect client data.
Vigilance will always be necessary, as attackers are constantly evolving their approach, but it is the accepted cost of doing business online.
How has your firm attempted to reduce security threats? Let us know your thoughts in the Comments box below.