Strong Cybersecurity Policies Must Be a Firm Priority

From reputational damage to the downstream effect of more expensive fiduciary liability insurance, advisory firms have a lot to lose from lax cybersecurity practices.

By DJ Shaw

Cybersecurity breaches are a growing concern among advisers, and, without sufficient protections, the benefits of America’s workers may be at risk. With this challenge in mind, a recent panel discussion hosted by Fi360, a Broadridge company, detailed how to prepare a plan to keep up with current and future risks.

There are two major risks advisers should keep in mind when thinking about cybersecurity, said Bonnie Treichel, Endeavor Retirement’s chief solutions officer. First is the loss of funds or participant assets, and the second is the loss of data—including personally identifiable information (PII) such as Social Security numbers, addresses and anything that should not be publicly available. Treichel said both types of breaches can cause significant damage to a firm’s clients, as well as its internal operations and credibility in the marketplace, and so an effective cybersecurity strategy must address both possibilities.

Firms face great risk once there is a breach, and Treichel explained that the downstream effects of a breach can be long-lasting. A breach is going to cause reputational harm to any firm, and there will also be operational disruption, she said. The average operational recovery time for a company is in the ballpark of three weeks. Not to mention that the recovery comes with a significant cost. There may then be an investigation, lost revenues and other spending to make participants whole again through services such as credit monitoring.

The harm that can befall a firm and its clients based on cybersecurity breaches was evident in recent regulatory actions taken by the U.S. Securities and Exchange Commission (SEC). The market regulator announced in September that it was levying a series of sanctions against eight registered advisory firms for failures in their cybersecurity policies and procedures. According to the SEC, various process and procedural failures led to pernicious “email account takeovers” exposing the personal information of thousands of customers and clients at each firm. The SEC says the eight firms, some of which operate collectively, agreed to settle the charges, together paying $750,000 to settle the matter without formally admitting fault or wrongdoing.  

As the speakers on the Broadridge webinar emphasized, there are long-term harms that come after the regulatory dust has settled. These may include increased insurance premiums and future lawsuit exposure. The severity of a breach will be based on a firm’s initial response and the cybersecurity program in place, Treichel said.

“A cybersecurity program identifies and assesses your internal and external cybersecurity risks that may threaten the confidentiality, integrity or availability of electronically stored information,” added Sarah Chase-McRorie, Matrix Financial Solutions Inc. senior legal counsel. “An effective program is going to have a well-documented information security policy, procedure guidelines and standards to protect your firm’s IT [information technology] infrastructure and data stored on the system.”

The speakers noted that the Department of Labor (DOL) recently released its own guidance on cybersecurity that has spurred more conversations on the matter.

Chase-McRorie said it is important to know what guidelines apply to each individual firm based on what type of service provider it is. When developing a framework, she recommended using the new guidance as an internal checklist and limiting the sharing of data between providers to only what is necessary.