Firms must perform due diligence on prospective providers.
Redtail Technology's recent data leak is a reminder of the weighty responsibilities financial advisory firms face when it comes to cybersecurity. Redtail's customer relationship management system contained data about clients of advisory firms that use the CRM. When some of that information was inadvertently exposed, Redtail's problem also became the problem of the advisers who relied on its CRM.
The Redtail leak can't be blamed on hackers. The company captured personal information about advisory firm clients on an internal file, called a log file, that serves as a record for software developers, and that file was accessible via the internet.
It's becoming common for personal information to get an airing. Earlier this year, BlackRock exposed the data of about 20,000 financial advisers who used the company's iShares ETFs — advisers from firms including LPL Financial and Axa Equitable. Voya Financial Advisors also had a glitch on a page of adviser bios on its website that had the potential to expose advisers' Social Security numbers.
A recent report from Aite Group suggests the problem is widespread. The report looked at 30 mobile apps from various types of financial services firms and found vulnerabilities in 29 of them.
Assessing and monitoring the cybersecurity practices of their technology providers may seem far outside the comfort zone of financial advisers, but regulators have made it clear that advisory firms need to be on the case.
And they're stepping up enforcement to ensure firms do so. The Securities and Exchange Commission cited cybersecurity as one of its examination priorities this year, and the $1 million fine the agency imposed on Voya Advisors last fall, after hackers gained access to the personal information of thousands of its customers, was seen as a signal that the SEC is cracking down in this area.
A $50,000 fine the Financial Industry Regulatory Authority Inc. imposed on a small broker-dealer last year for having lax procedures that let hackers transfer money out of customers' accounts also was viewed as a warning to the industry.
Late last year, Finra updated its cybersecurity guidelines to include such topics as how to combat phishing attacks and mitigate insider threats.
So what's an advisory firm to do?
Finra guidelines for advisory firms using third-party vendors say firms should perform due diligence on prospective providers before they sign on the dotted line. Contracts should cover such topics as how the firm's information will be stored and transmitted, the vendor's obligations in the event of a breach and limitations on the vendor's employees' access to data.
Once the firm has hired a vendor, it must continue to monitor their efforts. And if a firm terminates the relationship, it should ensure that the vendor deletes all the data it had. Finra also notes that an advisory firm's risk assessments should include all of its vendors' systems and processes.
Last month, the North American Securities Administrators Association came out with a model rule that would require firms to have written policies and procedures in place regarding cybersecurity to protect client information.
Just discussing the work entailed in vetting fintech providers and preparing an advisory firm internally is enough to arouse nostalgia for the Underwriters Laboratories seal of approval on household electronics. If only it were that easy.
But when clients trust firms with their personal information, advisers must repay that trust by doing the work it takes to ensure the safety of that data.
