Breached: Financial Firms Face Increased Cyber-Fraud Scrutiny From Regulators

David Macknin has been asking around about how financial service companies view, and handle, the burgeoning threat of cyber-theft.

Apparently, many firms aren’t taking the threat as seriously as expert say they should.

“Interestingly, here are the top five objections that our team has heard from companies," states Macknin, president and chief executive officer at the Chicago-based insurance brokerage Alper Services.

• “We checked with our IT Consultant and he said that we are secure and not to worry.”
• “We don’t control our IT in house….we use a third party to help us.”
• “All of our info is in the cloud so it is safe.”
• “We don’t have any sales over the internet.”
• “We have a firewall and virus detection program.”

Those responses indicate a "head in the sand" viewpoint, both optically and operationally, to cyber-breaches at financial services firms.

That’s not just the information technology community talking – Uncle Sam feels the same way.

In a webcast earlier in April, Andrew Ceresney, head of the U.S. Securities and Exchange Commission’s Enforcement Division, had a blunt message for money management firms on the topic of date security – you better have all your ducks in a row, or else.

"Cyber is obviously a focus of ours, as I know it is for the other divisions, and we've brought a number of cases there relating to failure to have policies and procedures relating to safeguarding information," Ceresney says in the webcast. “There will be others coming down the pike.”

The SEC has turned to a new cyber security tool to enforce better customer data protection at financial firms – the Regulation S-P privacy rule that the SEC can and will use to take regulatory enforcement against brokers and advisory firms that don’t wall off cyber-criminals from client data.

Increased Oversight

There will likely be more enforcement actions coming, Ceresney says, adding that some companies have already been through the wringer.

On Sept. 22, the Securities and Exchange Commission settled charges brought against  R.T. Jones, a St. Louis-based investment advisor that “failed to establish the required cyber-security policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients,” according to an SEC statement.

Specifically, R.T. Jones failed the PII mandate in three key ways. This from the SEC report:

• R.T. Jones stored sensitive PII of clients and others on its third party-hosted web server from September 2009 to July 2013.
• The firm’s web server was attacked in July 2013 by an unknown hacker who gained access and copy rights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft.
• The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information.  For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cyber-security incidents.

Even if investment firm clients aren’t directly impacted by cyber-crimes, financial services companies can still be held liable. “As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” notes Marshall S. Sprung, co-chief of the SEC Enforcement Division’s Asset Management Unit.

“Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cyber-security events and have clear procedures in place rather than waiting to react once a breach occurs.”

Tips To Better Safeguard Client Data

Investment firms that haven’t implemented adequate cyber-security safeguard measures don’t have to break into a cold sweat just yet – the SEC admits staffing constraints limit the to overseeing only up to 10% of all registered advisors annually.

But don’t get too comfortable, financial technology security specialists say. There are things you can do right now to better safeguard client data, and keep the SEC off your back.

“Cybercrimes are costing the global economy nearly half a trillion dollars a year, according to the insurer Allianz,” says Kris St. Martin, vice president of insurance and bank program director at CBIZ, a business consultancy based in Cleveland, Oh. “The persistent threat of Internet attacks is no longer simply an information technology issue; it has become a business issue facing all industries, especially the financial services industry.”

St. Martin offers a few specific tasks for financial advisory firms (and other financial industry firms, for that matter) to beef up their company’s cyber-wall.

“Take caution,” St. Martin says. “Should employees be permitted to use personal devices to connect to the network? It could inadvertently open financial institutions to additional risks. Institute a cyber-security culture, coming from the board down, and integrate cyber-security into your enterprise risk management (ERM) program.

Also, explore cyber-security insurance. “Consider your cyber-security insurance requirements and coverage as you respond to a breach.,” St. Martin adds. “Cyber liability insurance is not standard and can come with procedure requirements and exclusions of coverage. Knowing your insurance will help avoid claims being denied.”

A Vulnerable Industry

“Financial advisors and other professionals are at increasing risk of classic cyber attacks, in which hackers seek to steal confidential data for financial gain,” says Laura E. Jehl, partner and co-chair of Sheppard Mullin's Privacy and Data Security, in Washington, D.C. “Verizon's 2016 Data Breach Investigations Report, released this week, shows attacks on the financial industry far outpace those on other industries. These attacks most often originate through increasingly sophisticated phishing and social engineering schemes, in which employees are induced to click on links, download seemingly innocuous attachments, or transfer funds or confidential files.”

To protect your investment firm from these kinds of attacks, Jehl also offers some specific advice:

Keep confidential data encrypted, whether in transit or stationary to the greatest extent possible. “Encryption can be expensive and cumbersome, but it's the most secure way to ensure that your data cannot be used by those who access it, Jehl explains.

Make sure that all employees are aware of the threats and methods of cyber attack and how to follow sound cyber-security policies:

Train - and remind - your employees about the dangers of phishing attacks, including those that appear to be urgent requests from your company's top executives or important customers, often instructing employees to transfer money.

“The best training involves sending your employees simulated phishing emails to test their responses; according to the Verizon report, on average 13 percent of people click on phishing links or attachments, enabling malware,” adds Jehl.

It’s also a good idea to ensure employees verify the identity of the sender of any links and attachments before clicking or downloading, and especially before transferring any funds or files containing confidential data, Jehl notes.

Financial Firms On Notice

Make no mistake, the SEC has investment advisory firms on notice when it comes to cyber safety protection. Like R.T. Jones, don’t find out the hard way – use the tips above to keep your client data safe and secure – and Uncle Sam off your cyber-back.

Brian O'Connell is a former Wall Street bond trader and author of the best-selling books, such as The 401k Millionaire. He's a regular contributor to major media business platforms. He resides in Doylestown, Pa. Brian may be reached at [email protected].

© Entire contents copyright 2016 by AdvisorNews. All rights reserved. No part of this article may be reprinted without the expressed written consent from AdvisorNews, powered by InsuranceNewsNet.