When a client hires you as their advisor, they are making a remarkable gesture of trust. They are saying that they believe you are capable of navigating the world of risk and return in such a way that their personal wealth and goals will likely be met.
Central to this relationship, of course are your efforts to protect them from the risk of loss. While our industry has a rich history of well-documented practices that mitigate financial loss, the more contemporary risk of cyber fraud is just now beginning to enter the fiduciary's lexicon and take root in the day-to-day practices of RIA firms.
We hear from RIAs (either explicitly or implicitly) three common misperceptions about cybersecurity that hamper their efforts to mitigate these risks.
#1: Cyber threats against RIA firms are rare.
Cybersecurity risk among advisory firms is very real. Almost 10% of our RIA clients have some kind of attempted cybersecurity breach in the past 12 months.
#2: Cybersecurity is a “big firm” problem.
Large or small--every advisory firm has points of vulnerability. Likewise, the risk of loss from the client’s perspective is equally significant whether they’re working with a large or small advisory firm. To drive this point home. regulators have explicitly stated that small firms will not get a pass on properly addressing this risk.
#3: Cybersecurity is an IT issue.
Cybersecurity requires a multi-pronged approach. Effective cybersecurity goes way beyond information technology. Effective cybersecurity risk management is a cross-functional challenge that must also address operational processes, vendor management, regulatory requirements and human resources.
What can RIA firms do to protect clients from cyber threats?
Institute Sound Policies & Procedures
Sound risk management begins with policies and procedures that are written, communicated and enforced by leadership. RIA firms should have a written set of policies and procedures that include:
Cybersecurity risk inventory
Some common best practices that RIAs should consider include:
Policies and procedures, while critical can often foster a false sense of security if they are not continuously regularly reviewed, tested and improved. Your firm should appoint one individual (chief compliance officer would be an obvious choice) that is held accountable for the continuous assessment and enforcement of the procedures that protect your firm.
The same can also be said of your IT infrastructure as a whole. Viruses and malware evolve swiftly so the security of your systems will quickly wane if it is not continuously challenged.
If you are like most RIAs today, you probably rely heavily on third-party vendors for your IT infrastructure. Yet in doing so, you are not absolving yourself from the responsibility. As a fiduciary, you can only outsource responsibility, not accountability.
To monitor internal systems effectively requires specific knowledge and an ongoing commitment. This can be accomplished by hiring someone internally or engaging one of the IT outsourcing firms that specialize in our industry and understand your firm’s regulatory regime.
Most of the fraud attempts made against our RIA clients originated from their clients. The most common scenario is a client’s email account getting hacked by someone that ultimately seeks to misappropriate advisory assets overseen by the RIA. By reading through email history, the fraudster formulates a plan to contact the RIA to request a fraudulent wire transfer by mimicking the client in a way that makes their request appear legitimate (a practice known as “social engineering”).
RIA firms should address this topic directly with clients, encouraging them to adopt robust password practices in their personal email accounts. Imagine the relationship capital that could be built by helping a client mitigate risk beyond the financial risk in their portfolios!
Every person within the firm has a role in preventing cyber threats. This includes the founder that decides which cloud service to use, the chief compliance officer that implements risk management procedures, or the operations staff that handles client inquiries.
A properly crafted set of policies and procedures always includes a commitment to educate staff on the nature of the risks and what they can do to protect clients from fraud. These messages must come from the highest levels of leadership. If staff does not believe leadership is taking this seriously, they won’t either. A culture of risk management starts at the top.
Regulators and clients (whether they have explicitly said so or not) expect that the guardian of their assets will implement measures to protect client assets from cyber attacks.
Cyber attacks pose a very real risk for your clients. A proactive approach to cybersecurity will go a long way in strengthening client trust, remaining competitive and relevant, and ensuring that your firm is satisfying the expectations of its regulators.