Mitigating Cyber Risks for Registered Investment Advisors

Cyberattacks are increasing against registered investment advisors (RIAs). If you don’t adequately protect yourself, your hard work could be erased as easily as a hard drive hit by an electrical surge.

Major RIA Cyber Risks

There are countless varieties of cyber incidents, both deliberate and accidental. Focus your attention on the following six types as they account for most of the attacks and human errors RIA firms experience.

Phishing

Phishing is a cybercrime in which a person or entity contacts a target by email, text or phone to trick the target into providing sensitive personal information that can be used to steal identities and financial assets. It’s the most common cause of cyber losses. It is especially prevalent in the financial services industry, where financial institutions, advisors and clients are gateways to vast amounts of personal information and wealth.

Phishing attempts are usually easily detected because their offers are often too good to be true, traffic in phony urgency, and are easily unmasked by hovering an email message’s URL. Also, phishing emails commonly have suspicious attachments or come from unusual or unknown senders (or from a sender you do know, but whose name is misspelled or whose logo seems flawed).

Credential Stuffing

Credential stuffing is an automated scam involving hackers buying user credentials and email addresses from the dark web. Then they launch automated attacks on websites in which they attempt to secure entry and steal identities or money.

A 2020 SEC Office of Compliance Inspections and Examinations (OCIE) risk alert warned RIAs that credential stuffing is “a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute-force password attacks.” It went on to warn advisors that failure to mitigate the risks of credential stuffing will significantly increase a firm’s financial, regulatory, legal, reputational, and investor liabilities.

Third-Party Breaches

Firms may adequately lock down their systems and data, but a vendor with access to that data could have a breach. This happens to some 60 percent of companies, according to a 2018 study from Ponemon Institute and Opus. Data breaches caused by firm insiders can be damaging, costing an average of $3.92 million, according to the Cost of a Data Breach Report from Ponemon and IBM. However, when a third party causes them, the average cost increases to $4.29 million.

Ransomware

Ransomware attacks involve criminals penetrating your computer system and encrypting your files so you can’t access your applications or data. They continue to hold your resources hostage until you pay a ransom.

Ransomware incidents increased 62% in 2020, with more than 300 million incidents reported around the globe. The pandemic worsened things, with attacks growing nearly 500% since the outbreak began early in 2020. The average ransom amount has soared as well. In 2020, researchers pegged the average ransom amount at $170,000 per incident. By the first quarter of 2021, it had reached $220,000.

Insiders

Another significant cyber risk RIAs face today does not come from malicious outsiders. Instead, it involves trusted insiders. These are people you know who have access to your systems and data, but either have malicious intent or are careless in using your IT resources. As a result, 68% of businesses feel moderately to extremely vulnerable to internal breaches. The same percentage say insider attacks are becoming more common. Meanwhile, 63% say attacks have become harder to detect since moving over to the Cloud.

Financial Transactions

As an RIA, you’re in the business of executing financial transactions, many of them sizeable. Fortunately, the firms that execute your trades encrypt them so that hacker risk is extremely low. However, fraudulent wire transfers continue to pose a high risk. What happens is a cybercriminal will acquire information about a client, which allows them to pose as that person. Next, they contact you requesting a wire transfer for a normal-appearing purpose, such as making a down payment on a house or buying a car. Usually, there will be severe deadline constraints attached to the request. Once you approve and initiate the funds transfer, it’s only a matter of time before the client and you discover the request was not legitimate. By then, it will be too late to recover the funds, which typically have been sent abroad.

RIA Cyber Risk Mitigation

Preventing a cyberattack is always better than having to respond to one. Here are some essential prevention tips for the major RIA cyber risks.

• Phishing: Advisors and support staff must never become complacent about incoming emails. You should always carefully evaluate them before responding. For example, you should never trust the sender’s display name or click on links included in the email body. You should always check for grammar and spelling errors and never download attachments. Nor should you fall for urgent response requests or emotional appeals. Plus, never send unknown or suspicious senders any personal information. Most importantly, beware of any email that feels out of place or weird.
• Ransomware: To prevent crippling system freeze-outs, ensure your firm does daily hard-drive backups and utilizes antivirus software with updated ransomware protection. Never click on unknown links and email attachments. Only download from sites you trust. Finally, keep all computer and mobile applications updated with the latest patches. In the event your firm falls prey to ransomware, watch for the following symptoms: getting screen pop-ups that lock your computer, noticing files with uncommon or weird extensions, getting repeated errors when you try to open a file or application, and finding documents on your hard drive that you never created.
• Client data loss prevention: It’s crucial to answer five questions. What data needs protecting (also known as data classification)? How much priority should each data type receive? Where does all of your data live, especially your high-priority data? What protective measures are needed for various data types (in motion, in use, or at rest)? And who should be allowed to access files (only advisors should get access to client files)? Once you’ve analyzed your data, deploy technology to block data from getting breached and set it to inform you when events occur. 
• Credential stuffing: The SEC’s Office of Compliance Inspections and Examinations (OCIE) recommends enhanced vigilance regarding credential stuffing. Specifically, it urges RIAs to update their password policies to implement criteria for strength, length, type and periodic changing of passwords. Further, implementing multi-factor authentication and deploying CAPTCHA technology helps deter automated scripts from gaining system entry. Other measures include controls to detect and prevent greater than usual login attempts and the use of a web application firewall to detect and inhibit credential-stuffing attacks.
• Fund transfer wire fraud: Implement a four-layer defense against wire fraud. The first is training your staff to detect the initial fraud attempt. Requests to send money to a new location, especially a foreign address, are often red flags. Bad grammar within a text or email is a common giveaway, as are requests to ignore mistakes because the person used a smartphone to submit the request. Pleas of urgency, confidentiality, and hardship are also warning signs. The second defense layer is using technology to stop wire fraud. A common strategy is scanning all messages with a secure email gateway. You should also set up your email to warn you when messages originate from outside your firm. Then ask your IT team to make sure it has established spoofing defenses relying on proven technologies. The third defense is training everyone on how to spot a spoofed email. This involves detecting tricks like altering domain names to trick the recipient into thinking it’s authentic. The fourth and final defense is having a robust wire-transfer authentication process. This should be defined in a firm wire-transfer policy and documented in writing. All staff should receive annual training on the verification steps to prevent future fraud.

The Need for Cyber Liability and Data Breach Insurance

Even with a robust cybersecurity policy, a hacker could still penetrate your defenses. Many RIAs today purchase cyber liability and data breach insurance to pay for the expenses involved in these contingencies. How does this form of insurance work? It provides two levels of protection: first party and third party.

First-party protection means the policy helps you mitigate a breach’s negative impact on your practice. It does this by paying for things like:

• Investigation: hiring a forensic IT expert to determine how the breach happened and to fix the security hole.
• Ransoms: meeting a cybercriminal’s payment demand to unlock your computers, especially if you lack a current system backup.
• HIPAA fines: providing funds to cover HIPAA penalties or other fines resulting from the incident.
• Public relations: hiring a PR or crisis management firm to help stem customer defections after a data breach.
• Patient credit monitoring: providing credit monitoring to all parties involved in the incident.
• Notification expenses: letting affected clients know their personal data was released in a data breach.
• Legal advice: retaining an attorney to counsel you on the legal impact of the attack.
• Business interruption support: providing cash to replace income lost due to your inability to operate your business after the cyber breach.

Third-party protection means the policy helps you deal with third-party liability litigation. In other words, your policy will provide funds to retain an attorney to defend you and to pay for legal settlements and judgments imposed on you if a cyber incident resulted from your negligence.

Put first-party and third-party coverage together and what do you get? A robust safety net to address most cyber-related RIA risks. If you have yet to purchase such a policy, learn about the coverage options available from NAPA.

Don’t Forget E&O Insurance

After you complete the above steps, you’ll be on your way to locking down your RIA firm against cyberattacks and internal mistakes. But don’t relax yet. Clients can still sue you for a host of non-cyber reasons, including trades outside their risk tolerance and disputes over excess fees and bad investment advice. If you get sued for these or other reasons, your attorney fees, legal settlements and judgments will be your responsibility unless you have E&O insurance. Solution: Buy E&O Insurance today or if you’ve already purchased it, review your coverage to make sure it’s still current and appropriately covering your firm.

Are you paying too much for your RIA E&O insurance? Then compare your current policy with those available from NAPA Premier. Our insurance for RIAs, investment advisor representatives, registered representatives and financial planners starts at $72.08 per month. Establishing sound coverage only takes minutes. To learn more, visit our website.