True North Networks Blog
The Top Dollar Costs for Cybersecurity Breaches and What Independent Financial Advice Firms Should Do
Independent wealth management firms are notorious for talking a good game about cybersecurity while doing frighteningly little to protect sensitive client information. The bottom line is that those poor practices carry hidden risks, threatening the long-term strategic plans of otherwise successful independent broker-dealers and RIAs.
Recent research from multiple sources — including IBM, the Ponemon Institute, and Beacon Strategies — help fill in the gaps. Taken together, this material shows how wealth management teams vastly underestimate the true cost and consequences of cyber-attacks, that firms and their employees are far too lax on recommended protocols, and that they are in dire need of unified cybersecurity tools with a greater focus on the financial advice industry.
WAITING FOR ATTACKS
This revelation lays bare the rampant lack of preparedness for cyberattacks in the wealth management industry. It’s no exaggeration to say that many firms and their employees are literally waiting for a data breach to occur.
But the most surprising discovery is that so few of them realize they don’t have to be in that situation. Affordable, effective and efficient solutions do exist for the financial advice space. Of course, like anyone who wants to break a bad habit, the first step is admitting there’s a problem.
Beacon Strategies estimates that 74% of financial advisors already have been the target of cyberattacks, yet a whopping 64% of employees think cybersecurity is not a priority for their firm.
Additionally, leaders at many firms believe that allocating more time and resources to shoring up cybersecurity is unjustified since their firm has not (yet) suffered a data breach. This reveals a dangerous misunderstanding of what’s at stake.
MILLIONS IN LOSSES
No other industry has been as vulnerable to cyberattacks over the last two year as financial services, according to IBM. And the Ponemon Institute found that the average remediation cost per lost or stolen record in a data breach is $141, factoring in direct expenses such as engaging forensic experts and indirect expenses such as lost customers.
Now consider that a single-advisor practice with five employees may have as many as 400 client records. Basic math suggests that such a practice could lose over $56,000 due to a breach, a seven-advisor RIA with 10 support staff could face over $240,000 in losses and a broker-dealer with hundreds of advisors could lose millions.
REGULATORS GET READY
A common theme among wealth management firms is lax adherence to protocols. Rules from FINRA, the SEC and assorted state regulators, such as those in New York and Massachusetts, ought to be non-negotiable since those entities have made cybersecurity a top concern.
But far too often overlooked are recommendations by the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce. The NIST voluntary framework entails best practices on how to identify cyber threats, detect gaps, protect against attacks, respond to them and recover when compromised. Although all those areas are important, “protection” is the heart of the framework.
According to NIST, “protection” involves distinct actions to ensure identity management and access control; cybersecurity awareness and training; risk-based strategies for maintaining the confidentiality and availability of information; rigorous processes and procedures; system maintenance; and audit logs.
The average wealth management firm uses more than 75 different software technologies and seven different software agents installed on their endpoints for IT and cybersecurity. That makes it cumbersome and time-consuming to protect sensitive data. Worse still, many of those tools were not designed for advice practices.
The Ponemon Institute says that the faster a data breach is spotted and put under control, the less burdensome its cost will be for firms. Beacon Strategies goes a step further and says that, for broker-dealers and RIAs, the best approach is avoiding unnecessary cyber incidents to begin with, namely by adopting a unified platform designed for independent advisory firms.
While it may be debatable which platform is best for every firm and every advisor, there should be no debate that now is the time to act, for both the sake of your business and the best interests of your clients.