For several years now, including 2023, the SEC has made cybersecurity one of its exam priorities. But we don’t need the SEC to tell us that protecting client data is a top priority. The consequences of a slip in this arena can mean embarrassment, lost business, legal trouble, and even financial loss for your business.
While establishing a tight cybersecurity program requires significant advance work and consistent attention to the future, it offers a number of compelling positives. This includes building goodwill with clients, enhancing trust, and educating clients on a topic that can support other parts of their lives as they navigate our digital world.
At our firm, we have a solid regulatory-driven approach to cybersecurity. In addition, we have added some bells and whistles of our own over the years. We’ve also been exposed to client mishaps in the digital security landscape. Sharing our ideas and responses will help us all — because the savvier we all are, the less profitable hacking becomes. Outstanding cyber awareness is a “public good,” in economic terms.
Know, too, that advisors can be on the hook if you know about poor security practices but fail to do anything about it (more on this later).
Here are some of our tips and tricks to elevate your approach to cybersecurity:
What we do for clients
We maintain a password-secured access list of logins for certain services we use, which is available to three of us at all times. We use two-factor authentication (2FA) for every service where it’s allowed. That 2FA may be pointed at a device that’s not, for instance, mine, but instead belongs to one of our administrators. While this may be inconvenient, it can also be helpful, since logins are not always in the control of a single person.
The availability of this login map helped us one weekend when a client reported that she inadvertently gave her bank account information to a hacker. That bank account was linked to her investment account at Charles Schwab & Co. On a Saturday, one of us immediately severed the link between that bank account and her much larger balance in her investment account, as a preventative measure.
Safety before convenience
The attempted bank hack against our client made us think about clients with investor checking accounts linked to their managed investment accounts. Some of these have automatic “top up” features that draw from investment cash to keep a checking account balance at a certain level. We advised our clients with that feature to sever it. Again, this defeats a convenience, but enhances security.
In the same vein, our custodian offers a debit card that charges no foreign transaction fees. This is popular with clients who like to travel overseas. However, we take pains to open a separate account holding only a few thousand dollars to link to these debit cards. If the debit card is misappropriated, access to funds is limited.
Client education around security is crucial. Your client is your partner in keeping their funds safe. You have the knowledge, though — often they do not. We use examples of hacks we read about to write to clients to show what to look for: anyone you do not know asking for funds, emails that seem out of character, links in emails from unknown people or vendors.
We advise checking directly by phone or on a vendor’s website before giving away any information or clicking on a link. Recently our custodian told us of a scam involving a written letter that named real people at the FBI and real people employed by the custodian. The letter was sent to brokerage clients in an attempt to gain access to investment funds. We sent the explanation of the scam to all our clients, and we called any we felt might be particularly susceptible to falling for the subterfuge.
Beyond advising our clients, we follow strict internal guidelines we’ve established.
- We never move money or change withdrawal amounts without speaking directly to the client. No exceptions for any reason.
- We outsource our IT needs to a firm that scans our systems for attempts to hack us. We recently added phishing training and a program that blocks unapproved software downloads on any work device. Updates to software and file backups are automatic. We review monthly reports generated by our IT company of activity on our network and we take time to explore new avenues of protection with them.
- We noted that our custodian does not utilize a short “time-out” feature when we log in. As a result, once we log into their website, our computers remain logged in even if we are not actively using their website. I frankly don’t know how long we remained logged in; it seems to be a full day. But as a consequence of their lapse, our policy is to make a point of logging out if we are away from our screens for any length of time.
- We never use communal computers for any work involving clients. As an experiment while at an investment conference, I used a vendor-supplied computer set up for attendees and was able to simply back-space my way into the last few users’ email accounts. Not good.
- We use an intranet for confidential files. Our choice was Brosix. Of course, placing passwords on files is also a best practice.
- Dropbox is a common service for collaborating on files. However, note that if you install Dropbox on your desktop, all your files are easily accessible by anyone who can access your desktop. Therefore, we keep client data on Dropbox for as short a time as possible, and whatever does reside there permanently is also password protected.
Email accidents waiting to happen
In an incident that is almost embarrassing to relate, my own family’s trust was compromised by one of its trustees – a lawyer. This was not the first time a lawyer had been sloppy with confidential information sent via email, but it was particularly galling since I felt our trustees should have known better.
The situation involved setting up automatic payments, and the lawyer sent all the information involving the trust, the custodian wire information, and my mother’s personal data to us by email, unprotected by a password. In this case, we closed the trust and reopened it under a new number. Remember that if you, as the advisor, know about an incident like this and fail to take action, you can be liable for the consequences.
In another instance involving a professional, a client’s accountant shifted from a large firm to her own business, working out of her home. The accountant emailed our 80-year-old client, copying us, asking the client to email her relevant 1099s. No mention of a password, or secure portal.
I immediately phoned the client — who I knew would happily send off her 1099s by email to someone she knew — and asked her to take no action. We phoned the accountant and insisted that she set up a secure portal. You should insist that the professionals you work with have rock-solid security practices, and if they do not, educate them!
Stay several steps ahead
It is up to you, the advisor, to collect at least the cybersecurity policies and data protections for any vendor you hire. The SEC is mulling an “outsourcing rule” which will compel due diligence on at least several outsourced RIA functions, so stay ahead of the game and do it now.
These tips are only a small subset of the knowledge we have accumulated in the constantly evolving landscape of data security over the last several years. The effort to defeat attempts to steal funds and data is like a multidimensional chess game: Every move by the bad guys should make you think several steps ahead. And once you do that, be sure your clients know about it. They will thank you.