Cybersecurity Is About Protecting Clients—and Your Practice

One element of the cybersecurity discussion that is often overlooked is that the biggest threat to many advisory firms is not actually to client accounts but instead to the advisory brand.

In recent months, Advisor Group has added significant cybersecurity expertise to its senior management team. The new hires include Jason Lish, who has for about four months now served in the position of chief security, privacy, and data officer for Advisor Group’s Advisor Solutions team.

His role involves collaborating with advisers and executives from across the four individual firms that comprise Advisor Group—FSC Securities Corporation, Royal Alliance Associates, SagePoint Financial and Woodbury Financial Services. In a recent conversation with PLANADVISER, Lish pointed to his extensive cybersecurity background protecting organizations such as Alight Solutions, Charles Schwab and Honeywell, as the main reasons he was able to get this newly minted and exciting position.

“Four months in, I’ve now had sufficient time to understand the business and to start to make an impact,” he says. “From a priority perspective, so far there are two general areas where our firms are focused. First is on strengthening the overall security program at the home office by putting in place risk-based methodologies and enhanced capabilities that I’ve seen work in larger institutions I’ve been involved with.”

Lish says the Advisor Group firms—like others in the advisory industry—have a good cybersecurity foundation, “but in this space there are always ways to continue to harden the environment and put layered security measures in place.” At Advisor Group, he explains, the next step forward in cybersecurity is being referred to as the “CyberGuard” program.

The CyberGuard Program includes such features as comprehensive cybersecurity insurance, privacy/data breach insurance protection and coverage for breach response costs, regulatory liability and business disruption; discounted access to a cloud-based data backup solution that gives advisers secure, encrypted access to files from laptops, smartphones and other devices; and access to a security auditing and monitoring platform that continually monitors advisers’ systems to identify potential security gaps.

“The program also includes providing trusted login enforcement, login reporting and remediation support,” Lish says. “We now offer enhanced email and file storage capabilities with strong authentication and security monitoring features.”

Lish’s comments about improving advisory firm cybersecurity echo those made recently by Bart McDonough, CEO and Founder of Agio, which he describes as a “hybrid managed IT and cybersecurity services provider specializing in the financial services, health care and payments industries.”

“In today’s evolving cybersecurity environment, our clients come to us for two main reasons, which do overlap,” McDonough says. “First, they want help with their technical cybersecurity capabilities across the board. They have both generic and specific concerns about potential points of exposure for their organization.”

The second reason clients come to Agio is to get help meeting third-party cybersecurity standards, such as those put in place by regulators, particularly the Securities and Exchange Commission via its Office of Compliance Inspections and Examinations (OCIE), or private parties that review and approve cybersecurity.

For context, during recent examinations, OCIE staff identified common security risks associated with the storage of electronic customer records and information by broker/dealers and investment advisers in various network storage solutions, including those leveraging cloud-based storage. These risks are outlined in a Risk Alert published recently by the OCIE. Summarizing the matter, the Risk Alert states that, while the majority of these cloud-based network storage solutions offer encryption, password protection, and other security features designed to prevent unauthorized access, examiners observed that firms did not always use the available security features.

“There has been a lack of understanding of what the different threat vectors are and what advisers’ evolving obligations are from a regulatory perspective,” Lish reflects.

He warns that independent advisers are actually becoming a preferred target of hackers and bad digital actors in the financial services realm. For this reason alone it has become essential that the leadership of advisory firms make cybersecurity a top personal and organizational priority. 

“This is based on the fact that your larger institutions, the big banks for example, have been at this cybersecurity game for quite some time,” Lish explains. “They have been working for many years to harden their environment, and so this has actually led attackers to move away from these targets and to go to less sophisticated environments that have not as yet had to develop the knowledge or expertise to put the necessary defensive capabilities in place. If you look at an RIA that is operating wholly on their own, they may not even know where to start with cybersecurity.”

Lish adds that one element of this discussion that is often overlooked is that the biggest threat to many advisory firms is not actually to client accounts but instead to the adviser’s brand.

“Independent advisers are often operating in small, trust-based, tight-knit communities, and in that way it can be very hard to recover the brand reputation after a cyber incident,” Lish says. “Not to mention the security capabilities are coming up more and more in the request for proposals process. The cybersecurity questions are actually being formalized. To that point, we’re working to develop better ways to articulate what security is and what we are doing to achieve it.”