Lloyd D Lowe Sr – Founder & CEO of LD Lowe Wealth Advisory
With what seems like an avalanche of bad news related to hacking and data breaches being reported over the past several months, it is easy to feel overwhelmed and powerless in the face of it all. In many ways, it seems we are always managing to the last attack, by virtue of the fact that those who wish to do harm are constantly redefining the threat landscape. How can a single individual, or a small firm, protect against such a rapidly evolving enemy?
It is difficult to defend against the unknown, but following conventional wisdom used in the IT industry, all defense really boils down to people, processes and technology. Notice what comes first? People. The biggest threat to data security is human error. And often that doesn’t come from ignorance or general disengagement (though it can). Sometimes it’s just a matter of letting one’s guard down, and other times it may be falling prey to hackers who are becoming increasingly sophisticated in duping both advisors and clients.
For example, a recent study by the Securities and Exchange Commission noted that more than half of cyber risks come from email, such as phishing emails from hacked client accounts that request the transfer money to fraudulent accounts. Where proper controls are lacking, such scams can result in unauthorized transfers of money to the thieves, with the embarrassment of the firm being one concern but the possible irreparable harm to the client being a significant worry.
Once the horse has fled the barn, it is easy to see how it could have been prevented. But that doesn’t change the fact the neighbor’s garden was trampled in the process and the horse sprained an ankle in the escape. Repair can be done, but the relationship is never the same. Fundamentally, the greatest loss is trust – and it is gone in a flash.
So, how can we normalize the human element of the risk? To err is human, so there is no 100 percent solution. Data safety in the financial planning profession is a two-way street – clients themselves can make data vulnerable while financial planning firms are working hard to protect it. So, as part of the foundation of trust, we must mutually agree to protect data together.
There are basic things we can all do to better protect data – with both staff and clients participating.
- Password Protect. A simple rule that has been in place for a long time is to change passwords every 30 days as a rule, and immediately when the account is hacked. Passwords should be phrases rather than a complicated series of digits you must write down to remember.
- Two-step Verification. In the example above regarding phishing emails that appear to be legitimate client requests, a firm can protect itself and its clients by having a two-step verification policy in place that requires a phone confirmation in addition to any email request received. In addition, clients should be required to sign and return newly-dated transfer authorization forms prior to executing any transaction. From the client’s perspective, it is a good rule of thumb to call about a transaction request, then follow up with an email.
- Use caution in printing. The protection of sensitive data begins where it has been for the majority of my career – offline. Any time information is printed, faxed, written down or spoken of, it is open to being viewed by the wrong person, mislaid, or thrown away instead of being shredded. Going paperless as much as possible is a logical step to preventing loss, misplacement or unauthorized viewing. But it should be used judiciously, as using technology to store information does require processes to secure the technology.
- Write it down. All firms should have processes related to security formalized in a cybersecurity policy that is part of the employee handbook. This information should also be available for clients to review.
- Debit or credit? If you are drawing down your retirement and using it for living expenses, there are important distinctions to consider when using a debit or credit card. If you are on a budget and do not want to risk incurring debt, debit is a good option. However, it is important to tie the debit card to an account separate from your larger retirement cash accounts. Debit cards do not carry the same protections as credit cards.
In addition to basic process improvements like these, for advisors who are broker-dealers registered with the Securities and Exchange Commission, there are very specific standards required of the firm to ensure data safety, and both the SEC and FINRA are increasing their diligence and oversight in this area. For advisors, I believe this is great for our profession. Without a federal standard of care for data protection, we have a regulatory authority holding us to a higher standard of care voluntarily. When federal standards are agreed upon, we will have a firm foundation in place from which to comply with the new law. For clients, there is greater assurance in the quality of data safety when working with a registered broker-dealer. While no one is invulnerable to attack, I would argue the opportunity for attack is reduced in firms making cybersecurity a high priority, with processes in place to remain vigilant.
It may be tempting to think that the responsibility for data safety lies with someone other than you. But the reality is, it is your data – and you are ultimately accountable to protect it. And those in whom you put your trust to use your data share the burden of responsibility in order to win – and maintain – your trust.