Cybersecurity: Trust, But Verify by Jordan M. Roberts, Black Cypress Capital
The Problem of Cybersecurity
As the use of technology in the investment industry increases, so too do the opportunities for criminals to take advantage of that technology. In 2014, the FBI’s Internet Crime Complaint Center received 269,422 complaints with an adjusted dollar loss of $800,492,073. Because they often hold large amounts of assets, financial institutions can be attractive targets for cyber criminals. In 2015, the Securities and Exchange Commission (SEC) charged a St. Louis-based investment adviser with failure to establish cybersecurity policies and procedures in advance of a breach that compromised the confidential information of thousands of its clients.
Fortunately for investors that work with an investment adviser, there are ways to greatly reduce the likelihood of becoming a victim of cybercrime. It all starts with asking the investment adviser a few simple questions. As Ronald Reagan used to say, “Trust, but verify.” Even investors that trust their advisers should verify that the adviser has appropriate safeguards in place to protect their confidential information. There is simply too much at stake for investors to entrust their money to an adviser with lax cybersecurity measures.
Starting a Conversation
The following questions serve as a good starting point for the conversation investors should have with their advisers regarding the firm’s cybersecurity measures.
1. Do you have cybersecurity policies in writing?
If an adviser does not have written cybersecurity policies, chances are good it has not adequately assessed or prepared for the threat of cybercrime. An investor who entrusts his or her money to an adviser without such policies is taking an unnecessary risk. Following Reagan’s mantra of trusting but verifying, investors should ask to see their adviser’s cybersecurity policy and consider whether the adviser’s conduct is consistent with it.
3. Do you encrypt emails that contain personally identifying or confidential information?
3. In many instances, unencrypted emails pose a risk of being viewed by unauthorized persons. While that risk might be acceptable for some emails (e.g. asking a friend about the weather or telling a coworker the printer is out of paper), for many emails it is not (e.g. asking an adviser to transfer assets between accounts). If an adviser does not use some form of email encryption, investors should consider whether the adviser is adequately safeguarding their confidential information. In verifying that their advisers use encryption, investors can review past communications to see if messages containing personally identifying information are encrypted.
4. Do you regularly back up your data?
Ideally, an adviser will regularly and automatically back up the firm’s data to an on- and offsite location. Further, the data should be encrypted as it is in the process of being backed up. With all the important client data they maintain on their systems, advisers simply cannot afford to lose confidential information by failing to back it up.
5. Do you use some form of password management?
Password management programs can reduce the risk of a client’s confidential information being compromised due to weak or repetitive passwords. Many advisers use web-based platforms to deliver advisory services to their clients. These platforms often require advisers to log in with a username and password. Some custodians, for example, allow advisers and clients to log into their websites and execute transactions such as trades and asset movement. An adviser with weak or repeated passwords increases the risk of unauthorized persons accessing these platforms. Additionally, investors should inquire as to whether an investment advisory firm centrally manages all its employees’ passwords. Even a single employee with weak passwords can increase the risk that a firm’s data will be compromised. Central password management mitigates that risk by allowing firms to regularly change passwords and requiring employees with weak passwords to change them.
Investors place a great amount of trust in their advisers by allowing them to manage their assets. Despite their trust, investors should still verify their advisers’ claims about cybersecurity. The first step in that verification is simple and straightforward. By having a conversation and asking for documentation, investors can ensure that their adviser understands the risks of modern technology and has implemented appropriate cybersecurity measures to address them.
For questions about the cybersecurity practices at Black Cypress, please contact the firm’s General Counsel and Chief Compliance Officer, Jordan M. Roberts, at firstname.lastname@example.org or 864-735-8092.