It’s October: that time of year when anonymous, often scary creatures turn up at your doorstep in search of spoils. For IT specialists overseeing their firm’s cybersecurity, this scenario can play out 24/7/365, not just on Halloween.
As regulators deploy broader guidelines and cybercriminals become increasingly adept at circumventing barriers, guarding against breaches is a constant concern in the wealth management industry. In the alternatives space, both investors and asset managers are focused on all elements of risk surrounding these complex vehicles, particularly as interest grows among retail investors. As in most industries and business sectors, cyber risk is ranked high on their list of concerns.
October has been designated Cybersecurity Awareness Month, reminding the average online user of digital dangers lurking in the shadows. Cybersecurity can be particularly challenging because humans often lack the training—or the discipline—to consistently be the first line of defense against cybercrime. Financial services firms must constantly assess their cybersecurity technologies, protocols and controls to comply with more stringent regulatory standards and ensure they can defend against increasingly sophisticated cyberattacks. What areas for improvement are most often uncovered in these self-audits, and how can firms address such gaps in a cost-effective and efficient way?
Three industry specialists offer their informed insights below:
- John Messinger, Information Security Officer, FusionIQ, a leader in the delivery of cloud-based wealth management solutions
- Robert S. Jersey, CEO and President, Gar Wood Securities, a broker-dealer specializing in agency brokerage transactions in securities and futures
- Sander Ressler, Co-Owner and Managing Director of Essential Edge Compliance Outsourcing Services, a strategic consultancy specializing in compliance and regulatory affairs for broker-dealers and RIAs
John Messinger: An often-overlooked risk is the use of productivity and coordination applications. Many firms focus on traditional vendors when assessing risks, but they often miss “free” or low-cost third-party applications like meeting request tools, CRM integrations, browser extensions or even email applications on personal devices. These tools may have access to emails, calendars, or other sensitive data, potentially storing it outside of the company’s approved infrastructure or sharing it with third parties.
For example, the extension that reviews your text for sentiment, corrects grammar and provides editing may have access to everything in your browser, including sensitive client data. This data could be sold, used for marketing or even integrated into machine learning models without the firm’s knowledge. To address this gap, companies need to implement stricter policies for vetting and approving third-party applications. This can be done cost-effectively by limiting the use of third-party applications, regularly reviewing app permissions and educating employees on the potential risks associated with seemingly harmless productivity tools.
Robert Jersey: We don’t have to look far to see the pervasiveness of cyberattacks in every industry. I frequently receive notices that my personal identifiable information (PII) has been accessed in some kind of security breach. With so much sensitive information in the financial services industry, it’s imperative that firms conduct routine self-audits and third-party audits to ensure security protocols are in place. It’s also important to have a plan to immediately address any breach. Clients want reassurance that their data is safe or that, in the case of a breach, there are measures to protect them.
It’s also important to perform regular reviews of staff access to PII. When individuals have access to sensitive information unnecessarily, it increases the likelihood of such information being stolen by an unauthorized group or individual.
Sander Ressler: I think that the self-audits being conducted on firms’ cybersecurity technologies and related protocols are generally proficient and yield mostly favorable results. However, most self-audits do not reasonably review the self-audits being conducted by vendors that provide critical platforms for many BDs and RIAs.
Vendors present an atypical way of accessing a firm’s proprietary data, and few of their customers inquire, much less review, any breach reports or other concerns as part of their business testing.
