In my column for The Wall Street Journal, I write primarily for readers who are investment professionals. (Please, no wise cracks the two are mutually exclusive.)

The first six paragraphs from my column about cybersecurity, which was published on February 17, 2017,  describe regulations that govern what financial advisers must disclose when their firms get hacked.

You might not care about the inside baseball of wealth management. But I encourage you to continue reading on the Wall Street Journal. (There’s a link at the end of this post.)

Here’s the deal. What I learned from one cybersecurity expert is terrifying, particularly what he said about the most sophisticated hackers, the ones he calls “oligarchs.”

Excerpt from the Wall Street Journal

“Your registered investment advisory firm was hacked last night, and now you’re sitting in an all-hands-on-deck meeting. The CEO is calm. Your crackerjack IT team identified the breach immediately, and technicians are working with custodians to limit the damage and understand exactly what happened.

The good news: No money is missing from client accounts. The bad news: Clients’ names, Social Security numbers, birthdays, and addresses were all taken, as were other details yet to be determined. Your CEO, a true fiduciary, insists your firm has an obligation to notify clients about the hack.

 The real question is what to tell them. The statutory requirements are confusing. The impact of the breach may take months to understand as techies try to identify how the hackers breached your perimeter and exactly what they took.

And in the immediate aftermath of an attack, only one thing is clear: If you tell clients “We’ll pay for credit monitoring for 12 months,” then you don’t understand the problem.

Statutory Requirements

Regulation S-P requires wealth-management firms to implement “reasonable safeguards to protect a client’s nonpublic information,” says Brian Hamburger, chief executive of MarketCounsel, which consults with RIAs and broker-dealers about their compliance obligations.

But the Securities and Exchange Commission, which enacted Regulation S-P, doesn’t define “reasonable safeguards” according to Mr. Hamburger.”

More about Cybersecurity

To read about the four categories of cybercrooks (street-corner thieves, blue-collar thieves, white-collar thieves, and oligarchs), click on this link: Cybersecurity: The New Arms Race of Wealth Management.

Share This