As a registered investment advisor (RIA), you’re not only expected to protect your client’s data from a professional standpoint, it’s actually your fiduciary duty to do so. But carrying out this responsibility is a lot easier said than done in today’s “always on” environment of virtual connectivity.
According to the U.S. Securities and Exchange Commission (SEC), investment advisors have a “fundamental obligation to act in the best interests of your clients,” which includes safeguarding the privacy of their client records and information.
As an IT security expert in the Los Angeles area for more than 25 years, I’ve heard my fair share of questions and concerns from LA RIAs about cybersecurity and how they can effectively protect the data of their firms and clients and why.
Here are a few of the reasons why you should be concerned about client data protection and what you can do to increase your cybercrime prevention efforts:
1. It’s Your Responsibility to Secure Client Data
As we mentioned, it’s your duty to ensure that client data is secured as much as possible at all times. Recognizing the importance of this responsibility, industry organizations are working to increase awareness among professionals within the industry.
For example, the Securities Industry and Financial Markets Association (SIFMA) chair Lisa Hunt said the organization’s focus in 2018 would be increasing the security of client data:
"Our ability to capture data has never been easier but our responsibility to protect that data has never been more important… We need to insure as an industry that our clients' data is protected and safe at every turn. We can't make things better for our clients, we can't make things easier for our clients, if we make them more vulnerable."
According to data from the Identity Theft Resource Center (ITRC), there were 1,579 reported breaches that resulted in 178,955,069 records being exposed in 2017 alone. This demonstrated a significant increase — nearly 45% — over the numbers reported the previous year.
The risks of data breaches are huge, and the costs to businesses that experience these attacks are enormous. According to research by IBM and the Ponemon Institute, the global average cost of a data breach in 2017 was $3.62 million, with each lost or stolen record having an average price tag of $141.
2. Existing Protections May Not Be Enough
The second reason why data protection needs to be taken seriously is that today’s modern virtual environment is rampant with all kinds of cyber threats — hacks, viruses, phishing emails, and ransomware — that are growing on a daily basis. Small and medium-sized businesses (SMBs) around the world are continuously being attacked by cybercriminals. What’s truly disturbing is that of these businesses that experience a data breach, 60% end up closing their physical or virtual doors within six months of the breach.
Part of this vulnerability and increase of attacks on SMBs can be accounted for by a false sense of security about the cybersecurity methods they have in place. But, what many business owners and employees may not understand is that a software-based antivirus or firewall may not be enough to defend against many attacks.
Single-layered security methods, such as those mentioned above, can be effective against specific forms of attacks. However, these singularly-focused approaches are simply ineffective when it comes to combating most modern malware. This is why I always tell my clients it’s important for them to implement an in-depth, layered approach to cybersecurity defense through the use of managed IT security defense.
When it comes to layered security, it is a broad category that includes:
- Risk assessments and vulnerability testing;
- A firewall;
- Antimalware software;
- Antivirus software;
- Automated alerts and responses;
- Network monitoring;
- Remediation recommendations and implementations; and
- Regular network, server, and device updates and patches.
This layered protection helps to cover your business against threats that can occur from a variety of endpoint routes of access. It also can help you protect your business against or limit the damage from internal threats such as employees who are unaware of the dangers or those with malicious intentions.
3. The EU’s GDPR Will Soon Become Effective
The third reason for investment advisors to take client data protection seriously is that we’re on the cusp of the launch of the European Union’s new General Data Protection Regulation (GDPR). This new regulation, which will become effective on Wednesday, May 25, protects the rights and privacy of “data subjects” (any European Union citizen), including their right to have their data “forgotten.”
“But, Craig,” you may say, “we live in the United States — why should it matter to us about the regulations put out by the EU?” It matters for several reasons, one of which is just staying up-to-date about changing regulations. Another more pressing reason is that if your investment firm handles any kind of personally identifiable information (PII) of EU citizens, even though your company is located within the U.S., the regulation will affect your firm and its data practices.
There are limitations in the amounts and types of PII data that you process — and, that information can only be used for the specific task that it’s collected for (and that you notify the data subject when collecting it). As such, you can’t reuse the information for other functions or purposes.
All of this means that, as noted in a Forbes article, “any U.S. company that has identified a market in an EU country and has localized Web content should review their Web operations.” If a company, non-profit, or other organization is found to be non-compliant, it could lead to significant fines.
The above list is just a few reasons why investment advisors need to take the responsibility of protecting clients’ data seriously. Ask yourself: Should a data breach occur at your firm (which, statistically, is likely since there is no way to prevent 100% of all attacks), are you prepared? And, more importantly, would your clients’ data be secure?
In an increasingly connected and virtual world, it’s imperative for RIAs to ensure that their businesses, devices, networks, and employees are prepared for the threats that exist — and to be as prepared as possible for the threats that are still to come.
What are your top three reasons for why RIAs need to make client data security a priority for their firms? Share your thoughts in the comments section below or send me an email to discuss this topic more in-depth.