Cybersecurity and the Financial Planning Profession: Keeping Data Safe and Protecting Your Clients

Financial planners are on the frontlines of America’s wealth. This makes them and their firms a high value target for cybercriminals operating on the fringes of the internet. That’s the picture painted by Brian Edelman, Chief Executive Officer of FCI, a nationally recognized cybersecurity firm that specializes in advising financial services firms on their cybersecurity and data privacy practices.

According to software firm VMware, the number of cyberattacks on the financial sector accelerated at the start of the pandemic, growing by 238% between the beginning of February through the end of April 2020. More recently, the cyber and intelligence unit of BAE Systems found that 74% of financial institutions have experienced a rise in cyberattacks since the pandemic began.

74% of financial institutions have experienced a rise in cyberattacks since the pandemic began.

These figures, combined with a spate of high-profile cybersecurity incidents throughout the spring and summer, such as the ransomware attack at IT-provider Kaseya around the July 4th holiday, add a sense of urgency to an issue that should be of central focus for financial planners.

As part of its Code of Ethics and Standards of Conduct, CFP Board requires reasonable steps to protect security of non-public client information stored electronically (see Standard A.9.c) and regulators such as the SEC and FINRA have released their own guidance on cybersecurity. Financial planners can no longer reactively respond to cybersecurity incidents; they must proactively protect the data of their firms and their clients.

Biggest Mistakes

With each high-profile incident, cybersecurity increasingly becomes a topic of board-level conversation at the world’s biggest companies. In the wealth management space specifically, a survey conducted by PricewaterhouseCoopers found that 48% of CEOs at money and wealth management firms consider cyberattacks the greatest threat to future growth prospects. Despite this level of attention from the C-Suite, financial planning firms still need to make progress.

"Unfortunately, one of the biggest mistakes I see is that leadership doesn’t take cybersecurity seriously enough,” shared Edelman, who developed his passion for cybersecurity and data privacy in the wealth management space while working as a second-generation financial advisor with his mother and sister.

"All too many of them say that they’re not ‘techie’ or don’t know enough, so they don’t take the threat seriously,” says Edelman. “Cybersecurity is really a leadership role.”

"Unfortunately, one of the biggest mistakes I see is that leadership doesn’t take cybersecurity seriously enough.”

On the more granular side, Edelman cites password mismanagement and not using multifactor authentication as the mistakes advisors make that generate the most common forms of breaches. Examples include a password list saved on an internet-enabled computer without any protection or a password that’s given out to staff members so they can log into the financial planner’s accounts.

“In my opinion, one of the regulatory requirements called multifactor authentication becomes the most important defense for financial advisors when it relates to passwords,” says Edelman.

The National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce that sets cybersecurity standards, defines multifactor authentication below:

Multifactor authentication, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence — your credentials — when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card) or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security — so entering two different passwords would not be considered multifactor.

Client Expectations Have Changed

Clients are also getting smarter when it comes to cybersecurity practices. They have gained more experience interacting online throughout the past decade and as the prevalence of cyberattacks has grown.

“Throughout the past few years, more and more clients are coming to these cyber incidents armed with their own experiences with breaches — their Facebook was hacked, Google password was stolen,” says Edelman. “Now consumers are starting to ask: What are you doing to keep my private information safe?”

He points to enhanced awareness among the public of best practices, and financial planners should be ready to answer their clients’ questions.

“Clients are starting to realize that you’re not sending them encrypted emails and their data is just sitting in your inbox ready for anybody to get access to it,” he says. “We’re starting to see a lot of situations arise where advisors are coming to us because their clients are asking these questions.”

Understanding the NIST Framework Outlined by Regulators

When Edelman’s clients are doing the right thing, he says they are usually following the NIST Framework, a guideline for cybersecurity practices and compliance that has been adopted by regulators across industries, including the SEC and FINRA.

According to Edelman, the primary requirements of this framework include:

• Chief Security Officer: Every firm is to appoint someone to take on the role of “Security Officer.” Similar to Chief Compliance Officer, this person needs to be empowered to make sure that everyone at the firm is following what’s called an Information Security Policy.
• Information Security Policy: This defines how a firm protects data and articulates how they are protecting their information, what to do if there is a breach, how to train their employees, and what they communicate to their customers.
• Risk Assessment: It is a regulatory requirement to have a risk assessment that evaluates the unique vulnerabilities of your firm.

These measures provide financial advisors and their firms evidence of due diligence in the event of a breach. Edelman explains that if a breach is being investigated by the authorities, the advisor may be considered a suspect until they can prove they’ve taken the appropriate safeguards. He adds that this also matters from an insurance perspective because adherence to the NIST framework is one of the evidence that a cyber insurer may ask for when an advisor applies for coverage of an incident. If they can’t provide evidence, the advisor is culpable in the loss.

Edelman equates adopting a NIST framework to something financial planners know well: life insurance.

“If you adopt these measures proactively, you’re paying the term premium versus doing it reactively where you could potentially be taking the death benefit,” he says.

Just as the better advisors dig into the data and financial lives of their clients, the firms that are doing things right on cybersecurity are taking the same approach to their cyber compliance policies. The best practice today for firms is to stay current on cyber compliance policies and proactively take steps to improve their practices where needed.