Vasily Pindyurin | fStop | Getty Images
Cyber criminals steal billions of dollars a year from financial firms. Financial advisors – and their clients – are at risk as attacks increase and grow more complex, according to security experts.
“Advisors have one thing the bad actors want, and that’s money,” said Brian Edelman, chief executive of FCI, a cybersecurity firm specializing in financial services. “They’re the gatekeepers to a lot of money.”
Registered investment advisors, or RIAs, manage more than $4.7 trillion dollars in client assets — about a fourth of all assets under management, according to TD Ameritrade. By 2022, that figure could grow by $1.4 trillion, according to the firm.
In addition to being a central repository for customer money, financial firms are attractive to scammers due to their valuable customer data, according to a White House Council of Economic Advisors report, which found that cybercrime cost the U.S. economy between $57 billion and $109 billion in 2016.
The finance sector, both public and private, suffered the largest number of security breaches relative to other industries that year, according to the White House analysis.
Investors don’t often ask about their financial planner’s cyber protocols, said Evelyn Zohlen, a certified financial planner and founder of Inspired Financial in Huntington Beach, Calif. Yet inquiring about protective measures should be on each client checklist.
“They should care because by the time there’s been an incident and they’re asking, it’s too late,” she said.
Here are five important questions investors should ask current and prospective financial advisors about their cyber protections, according to Edelman:
• What would you do if you have a security incident involving my confidential information?
• How do you protect my data?
• How can you show that you are in compliance with cyber regulations?
• Do you have cyber insurance?
• Do you have a third party validating that you are secure?
These points are either cyber requirements or recommendations from financial regulators like the SEC and Financial Industry Regulatory Authority, Edelman said.
Investors should ask for proof that advisors can demonstrate or justify their answers, Edelman said. They should also take note of their client experience — for example, do investors receive encrypted e-mail messages and need multi-factor authentication to access the client portal, Edelman said.
“There are two kinds of financial services firms: those that have faced a cyberattack and those that will,” according to the consulting firm PwC.
Almost half of companies experienced some type of financial fraud in the past two years, cybercrime being the most prevalent, according to a recent poll of 5,000 global firms by PwC. About 1 in 10 companies lost more than $50 million. Just 56% investigated the incident.
Zohlen might have inadvertently wired $80,000 of client money to scammers this fall if it weren’t for cyber controls instituted at the firm.
“It could have gone a very different direction because the quality of the fake was quite, quite good,” said Zohlen, who also chairs the Financial Planning Association, a membership group of almost 21,000 advisors.
Westend61 | Westend61 | Getty Images
The con artist, using an e-mail address that appeared legitimate, requested the sum to do home renovations, a not-uncommon ask for the client, who owns many rental properties, Zohlen said. The fraudster also attached a valid invoice from a contractor.
The firm discovered the attempted theft when reaching out to the client to confirm the transaction — part of a protocol instituted to proactively call customers and verify details.
“I’m concerned about all the new and exciting ways [criminals] are figuring out how to fool us,” said Zohlen, who has seen fraud attempts grow more common. “The experience this fall was eye opening.”
Cybersecurity ranks among the Securities and Exchange Commission’s top examination priorities for financial advisors, due to the heightened risk it poses investors.
Consumer loss to cybercrime is on the rise, hitting a record $3.5 billion last year, according to the FBI.
Bill Clark | CQ-Roll Call, Inc. | Getty Images
The FPA launched a certificate program for members last month around cybersecurity. The topic is especially important given the fast pace of business being conducted by advisors, said Martin Seay, FPA president and director of Kansas State University’s personal financial planning program.