Cyberattacks and data breaches are the new normal for registered investment advisors. These investment advisor cyber breach claims will show you what not to do.
Like all businesses, registered investment advisors (RIAs) are vulnerable to cybercrime. However, they face more significant risk than your average small business due to the amount and nature of personally identifiable information (PII) they store.
The threat has accelerated so quickly that the Securities Exchange Commission (SEC) has proposed new regulations designed to improve RIA cyber risk management, incident reporting and public disclosures. It also has doubled the size of its Crypto Assets and Cyber Enforcement Unit.
Sensing a need to batten down their cyber hatches, large asset custodians have begun requiring their RIA customers to maintain insurance for digital losses.
Numbers Tell the Story
It’s plain to see why investment-advisor regulators, large asset custodians and financial services manufacturers are concerned about recent events: Cyber losses are exploding.
According to Verizon’s 2022 Data Breach Investigations Report, financial services providers, including RIAs, experienced 2,527 data breaches this year, involving 690 instances of actual data disclosure.
The cost to assess and remediate such events continues to inflate rapidly. The 2022 Cost of a Data Breach Report from IBM and the Ponemon Institute pegged the average data breach expense at a record $4.35 million. It also revealed that the per-client cost reached $164— a seven-year high.
Furthermore, the 11th annual NetDiligence® Cyber Claims Study, which targets smaller firms, found that 5,797 cyber liability and data breach insurance claims cost an average of $145,000. However, the average claim costs for ransomware and business interruption were $267,000 and $508,000, respectively.
As alarming as these numbers are, the experience of individual firms is where the cyber threat hits home. Reading about firms with ineffectual cyber defenses and flawed incident-response plans reinforces how much more work the RIA industry must do to safeguard client data.
RIA Cyber Claim Scenarios
The SEC issued enforcement orders against the following RIA firms for not protecting client data. Let these RIA cyber claim examples, based on real-life SEC enforcement, be your cautionary tales.
“ABC Financial Services” is a San Francisco-based broker-dealer and investment advisory company. It offered investment products and services through 800 financial advisors who worked as independent contractors. Its employees and independent contractor advisors used a cloud-based email platform for internal and external communications, often including client PII in their email messages.
Between September 2018 and August 2020, unauthorized individuals took over the email accounts of 15 ABC advisors, allowing them to send messages to and receive replies from clients. After the attack, the PII and other account information of 5,000 clients got forwarded to external email addresses.
Then clients began receiving phishing emails asking them to wire funds to a bank account, enter their PII into a form to access an important document or receive an investment recommendation. If they had complied, the hackers would have gained access to their computers and wreaked havoc on their finances. This form of Social Engineering scheme is becoming an increasingly popular strategy by hackers and according to the 2021 IBM Cost of Data Breach report. This report studied the results and cost of 537 real breaches that year. Social Engineering cases alone cost $4.47M for the year.
The SEC finding? That the firm violated the “Safeguards Rule” of SEC Regulation S-P. It ordered the company to pay a $200,000 fine.
“Evergreen Financial Services” is a securities brokerage and investment advisory firm. It buys and sells stocks, bonds, mutual funds and other financial products. It also provides retirement planning, insurance and other financial services. Evergreen works with investment advisors and their clients across the United States.
According to the SEC, cybercriminals called the company’s support line and impersonated contractors with whom they worked to request new passwords. The hackers used their new credentials to access the accounts of 5,600 of the company’s customers. Next, using the information, they created new online profiles for three clients and used them to access private account documents.
The SEC alleged that Evergreen allowed the access to continue due to its lax cybersecurity procedures. They failed similarly in a prior incident. The company didn’t properly apply its policies to its independent contractor platform, which served the largest segment of its workforce.
The government charged the firm with violating the agency’s Safeguards and Identity Theft rules. It fined the company $1 million and censured it for its laid-back cybersecurity practices. The company paid the fine without admitting to or denying the SEC’s charges.
“On Point Investment Research Inc.” is based in Iowa. It’s SEC-registered as a broker-dealer and investment advisor, respectively. The company works with 4,750 registered representatives and investment advisor representatives.
From January 2018 to July 1, 2021, criminal hackers took over the email accounts of 121 independent representatives. The attack vectors were phishing and credential stuffing, among others. In the email compromises, hackers forwarded messages from the accounts of company representatives to outside parties who lacked the authority to view them. Customers also received emails from phony On Point representatives asking for their PII or urging them to click on a URL. Several cases involved hackers trying to withdraw funds from customer accounts.
After forensic analysis, the company found that 2,177 customers had their PII exposed during the email compromise. It offered free identity theft protection to all affected customers. The company didn’t perform a forensic analysis for the other attack types, assuming they affected all clients. As a result, it notified 3,800 customers that their information was now at risk.
Although the cyberattack had negative consequences, On Point did not mitigate its security holes using advanced measures. It simply reset the email passwords for the affected representative accounts. Although it recommended multi-factor authentication (MFA), it didn’t require it until May 2021.
The SEC concluded that On Point Investment Research willfully violated the Safeguards Rule. It ordered the company to stop committing further cybersecurity infractions, censured the firm and imposed a $250,000 fine.
“Diversified Financial, Inc.” is a multinational financial services firm specializing in retail stock brokerage. Its 20,000 financial advisors served 10 million households from 1,000 locations worldwide.
Starting in 2017, the company improperly disposed of desktop and mobile devices containing the PII from 15 million customers. It hired a moving and storage company without experience in decommissioning data servers and hard drives. Diversified also failed to supervise the moving company’s work properly. When the mover sold thousands of Diversified devices to a third party, they got auctioned on the internet, even though they still housed confidential client information.
When the company discovered what was happening, it successfully recovered some of the devices. The rest, containing data from millions of Diversified clients, remained at large.
The SEC also found that Diversified decommissioned 80 computer servers, likely containing unencrypted customer PII and consumer-report data. Efforts to recover them also failed. The devices had encryption capability but Diversified neglected to activate the feature for years.
The SEC found that Diversified violated the Safeguards and Disposal Rules of Regulation S-P and ordered it to pay a $50 million fine.
The Need for Cyber Liability and Data Breach Insurance
The preceding investment advisor cyber claim examples illustrate the need to protect your RIA firm against cybercrime and internal accidents. Without insurance, you’ll be on the hook for millions of dollars in first- and third-party claim expenses. With it, you can transfer your covered losses to your insurer, who will pay for them under the terms of your policy. Given a choice between exposing your firm to mounting cyber risks and protecting it against them, doesn’t the former action make more sense?
Strengthen your cybersecurity by purchasing Cyber Liability & Data Breach Insurance from the National Association of Professional Agents (NAPA).
Schedule your free consultation with an insurance expert today to discuss your coverage needs, custodian requirements, pricing and next steps.
