“Somebody authorized a $50,000 transfer online,” your client says. “And it wasn’t me.”
“I’m on it.”
The first step is clear. You phone the CISO, your firm’s chief information security officer. But do you know what happens next?
If you don’t, you might find out the hard way—which is, after all, the quickest way to lose that client’s trust. For example, do you know the firm’s policy for handling a cybertheft? How about its policy for reimbursing clients when their accounts get hacked? Does it even have one?
Identity theft feels like a high-tech variation of the Malthusian catastrophe: This time, the growth of personal data is overwhelming our ability to protect it.
Marc Goodman is the author of Future Crimes and an authority on cybercrime. He says that one Russian crime syndicate, just one, controls a database with over 1.2 billion unique usernames, all of them compromised.
Scary, right?
I asked him what financial advisers can do about the problem. In general, he recommends that wealth managers become “partners in protecting the families” they advise.
Nice. But I still wanted to understand what happens inside companies when identity thieves pierce client accounts.
Tim Francis, an executive at Travelers, oversees his firm’s insurance products for security breaches and, therefore, understands how different organizations respond.
Companies start by identifying the weak links, he says. “Sometimes, it’s not just one.” The client, company, or a combination of both can be the entry point for cyber thieves.
Policies for reimbursement differ. Some firms even require clients to sign an indemnification agreement, Mr. Francis says. “Some don’t.”
That’s a huge distinction. I bet prospects start evaluating what happens if they get hacked or, given the growth of identity theft, which firms appear most likely to avoid security breaches altogether.
Here’s my question for registered investment advisers: You encrypt emails and establish careful online procedures. But when it comes to Internet security, is your practice keeping pace with broker-dealers?
Probably not, according to the Securities and Exchange Commission. In a recent survey, the agency found that 84% of broker-dealers “require cybersecurity risk assessments of vendors” compared with 32% for RIAs.
What happens if your business partner is the weakest link?
The SEC found other shortcomings: 68% of broker dealers have CISOs versus 30% for RIAs. Often, chief technology officers handle this function at RIAs. Or their CEOs outsource the job to outside vendors which—ahem—they only “assess” 32% of the time.
Is this good enough?
There’s more. While 89% of broker-dealers audit compliance with online security procedures, only 57% of RIAs do. What happens if the weakest links are sitting down the hall? Are the people functioning as CISOs stretched too thin to keep an eye on them?
In fairness, I know some smaller RIAs are on the cutting edge of security. And, yes, giants such as Morgan Stanley and J.P. Morgan have been at the center of spectacular intrusions.
But if I’m an RIA client, the SEC’s numbers are making me second-guess my decision. I’m wondering if my provider is among those trailing broker-dealers in insurance coverage and written policies and procedures.
Not good.
My view: The SEC’s survey is a wake-up call for all firms making a me-too effort at Internet security. They’ll get crushed as their competitors tout the differences to investors, who are awash in horror stories about identity theft.
Continue reading on the Wall Street Journal.