It seems that hardly a week goes by without news headlines about a major cyberattack or cyber security breach. Advisors should take inventory of their digital assets to determine where hackers might exploit points of entry or how data may be lost to system errors.
Cybersecurity is becoming less of an esoteric topic for advisors – something that’s avoided or relegated to IT personnel to handle. Increasingly, it has become front-page news. Many clients have also picked up on the concern, and have begun asking their advisors questions like: "Where is my data being stored?" "Who has access?" "How are communications being secured?" "What happens to my data if our relationship ends?" At the same time, cybersecurity risks have increased due to the COVID-19 pandemic. Out of those who suffered a breach in the last five years is 82%. There are multiple factors contributing to this such as: remote work using mobile devices, new digital tools being used for customer data and third-parties being directed by customers to access their data. Before clients and regulators show up asking questions, you may want to review your business’s protections and preparedness for potential data breaches.
Reasonable steps are required
As part of its Code of Ethics and Standards of Conduct, the CFP Board requires financial advisors to take reasonable steps to protect the security of all non-public client information they store electronically. Regulators like the SEC and FINRA also have their own guidance on cybersecurity for financial advisors. This means that advisors can no longer just respond after-the-fact to cybersecurity incidents. Instead, you need to take proactive steps to protect your firm and your clients’ data from cyberattacks.
New rules proposed by the SEC in February (https://www.sec.gov/news/ press-release/2022-39) add some urgency to cybersecurity risk management for financial advisors. These rules would create cybersecurity risk management standards requiring advisers to adopt and implement written cybersecurity policies and procedures designed to address risks that could harm clients. They would also require advisers to report significant cybersecurity incidents to the SEC on a new section of Form ADV.
In addition, advisors would have to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and