Independent thinking.

In partnership with InvestmentNews Research

An adviser’s guide to cybersecurity

An adviser’s guide to cybersecurity

Introduction

As advisers and their clients increasingly interact online, and

as more client data is aggregated and housed in the cloud, the

threat of cybercrime compromising client data and opening the

door to asset theft is greater than ever. To be sure, broker-dealers

and custodians have made cybersecurity a priority. But while the

financial firms that support advisers — and advisers themselves —

regularly implement new software and procedures designed to

safeguard client data, the threat remains. Like Willie Sutton in

the past, today’s cybercriminals are drawn to advisory accounts

because that’s where the money is.

An adviser’s guide to cybersecurity 1

The Justice Department recently said that cybercrime is one of our greatest national threats, and Europol, the law enforcement agency of the European Union, recently noted four cybercrime trends that threaten everyone, everywhere:

• Continuing use of ransomware. This is malicious software that is covertly installed in a victim’s computer, smartphone or other device and which then mounts an extortion attack while holding the victim’s data hostage, or threatens to publish the victim’s data, until a ransom is paid. Ransomware remains a top malware threat, along with banking Trojans, which are malicious programs that mislead users into opening them so that the cybercriminal can steal confidential banking and payment-system data.

• Identity theft: This cybercrime category continues to morph as criminals discover new ways to steal identities and information. A study by Javelin Strategy & Research found that the number of identify fraud cases rose 16% in 2016, costing victims a record $16 billion. An estimated 15.4 million US consumers were affected by fraud -— nearly 2 million more than in 2015.

• More sophisticated phishing. The use of fraudulent emails to induce recipients to send personal information cost business an estimated $9 billion 2016. An increase in phishing aimed at high-value targets has been registered by private sector security organizations. CEO fraud, a refined variant of phishing, has become a key threat to businesses of all sizes.

• Wider criminal use of data. Already exploited for financial gain, criminals increasingly employ stolen data in more complex fraud and extortion schemes.

Fortunately, only 3% of advisory firms report that any of their firm-level or client data ever has been compromised as the result of a security breach, according to findings of the InvestmentNews 2017 Adviser Technology Study. That’s virtually unchanged from the 2% who reported such activity in 2015.

Another good sign is that 90% of advisers surveyed said that their firm has a documented cybersecurity plan in place. Nevertheless, while firm-level security measures appear to be strong, any breach could have devastating effects on however many clients are affected, not to mention firm and adviser reputation and even a firm’s ongoing viability.

The bottom line is that the wealth held in client accounts makes firms and clients vulnerable, and advisers should do everything possible to reduce the risk of cybercrime for their clients and educate them about cybersecurity. The following information will help do that.

2 Cadaret, Grant & Co., Inc.

90% of advisers surveyed said

that their firm has a documented

cybersecurity plan in place.

Anti-cybercrime steps for advisers • Assess and identify potential problems. Advisers should enumerate the kinds of information they

keep, where it is kept and what would happen if a hacker accessed that information. What cybersecurity protections are already in place?

• Create a cybersecurity plan. To combat cybersecurity threats, develop a program that includes encrypting data and making sure that only certain people can access that data. Also, institute a policy of regularly backing up data and a detailed plan of what you would do if a hacking attack were to occur.

• Write it all down. Make sure your information technology and cybersecurity policies are written and that employees know where and what they are and get trained to execute them. Include in your documents the advice you provide to clients to help them reduce their risks. Have written documentation of memos, time-stamped reports and spreadsheets that prove you are doing what you say you are doing.

The following are some important do’s and don’ts for advisers to keep in mind when executing on those three key action steps:

• Do make use of all tools available from your broker-dealer or custodian. The securities industry is investing tens of millions of dollars in cybersecurity, making tools and resources available to advisers and their teams. Actively seek out those tools and become known at your firm for your interest in and commitment to cybersecurity.

• Do eliminate weak links in your systems. Hackers will be turned away from systems that use strong passwords and encryption. Don’t let users share passwords. In addition to PCs, encrypt all thumb drives, cell phones and tablets. And set untended computers to lock automatically after a set number of minutes.

• Do take preparation, training and review seriously. Put effort into your plan, review it seriously on a regular basis, document that review, and make sure that all staff — including even those who don’t usually deal with clients or their information — are regularly trained and updated on cybersecurity policies and procedures. Since staff carelessness or inattention can be the weakest link in the defense chain, make sure that you and your staff never download an attachment or accept a request if it can’t be verified.

• Do be alert to things that don’t feel right. Suppose, for example, that a staff member receives a phone call from someone saying he’s from Microsoft tech support and has noticed a computer virus on your system. Even if the employee isn’t aware that reputable tech support operations don’t work that way, he

An adviser’s guide to cybersecurity 3

or she should immediately sense that the call is out of the ordinary and somehow amiss. Given that feeling, the employee should hang up immediately and not let the unidentified caller connect to the firm’s system. Similarly, if you or staff receive an e-mail from a client saying they’ve been mugged on vacation or have lost their wallet or passport, most likely their e-mail has been hacked. Contact that person via landline or cell phone and confirm the story.

• Do educate your clients in how to communicate with you safely. Advisers should require multifactor authentication (use of a token or other identifier beyond password or ID) for client communication through Gmail, Yahoo! and other major providers. This will protect them, and you, from hackers.

• Don’t keep cybersecurity a secret. The financial advice business is competitive, but there is one area where cooperation, not competition, is paramount: cybersecurity. Discuss the issue frequently with peers and share any ideas you have.

• Don’t lull yourself into thinking cybersecurity is someone else’s problem. Be alert to news and developments in cybercrime and cybersecurity and seek more information and update plans and programs accordingly. Start by identifying your three biggest potential threats and get to work addressing them.

Anti-cybercrime suggestions for clients Just as clients turn to trusted advisers for financial and investment advice, they may come to see their adviser as a resource regarding the safety and security of their wealth — and the personal information surrounding those assets — as more of their financial life moves online.

In addition to the client-related aspects of information already mentioned, here are some cybersecurity guidelines from the Federal Bureau of Investigation and other sources that will help protect your clients when they venture online:

• Backup all data. Storing all sensitive files in a secure facility on the cloud is recommended, as is backing up data onto a removable storage device that can be kept in a home safe.

• Be careful with downloads. Carelessly downloading e-mail attachments can circumvent even the most vigilant anti-virus software. Remind clients to never open an e-mail attachment from someone they don’t know, or even forwarded attachments from people they do know. Those attachments may contain malicious code.

• Don’t click on ads. Many online banners and other advertisements are come-ons used by hackers to gain access.

4 Cadaret, Grant & Co., Inc.

An adviser’s guide to cybersecurity 5

• Don’t overshare on social media. Broadcasting where you are and what you are doing leaves trails that cybercriminals can use to track where clients are — and when they may be vulnerable to being hacked, robbed, scammed or extorted.

• Install or update antispyware technology. Software that is surreptitiously installed on a computer to let others see user activity, spyware can collect personal information without the computer owner’s consent. Some operating systems offer free spyware protection, and inexpensive software is readily available for download or purchase. Tell clients to make sure they trust the site they are buying from by first verifying any brand name they receive a pitch about by looking at their web site and then reviewing their product on reputable sites such as pcmag.com.

• Install or update antivirus software. Designed to prevent malicious software from embedding in a computer, antivirus software detects malicious code, including viruses and worms, and then disarms or removes it. Viruses can infect computers without users’ knowledge. Most types of antivirus software can be set up to update automatically.

• Keep firewalls on. A firewall can keep hackers from accessing computers remotely and stealing or deleting information. Ask clients to check to see if their computer came with a preinstalled firewall. If not, suggest they buy one. And remind them to keep it turned on at all times.

• Keep operating systems up to date. Computer operating systems are updated periodically to stay in tune with technology requirements and to fix security holes. Remind clients to install the updates to ensure their computer has the latest protection.

• Turn off computers. Many clients opt to leave their computers on and ready for action at all times. Computers that are always on are more susceptible to hacking. Turning the computer off effectively severs any connection an attacker may have made.

• Use secure connections when going online in public places. When using wi-fi on an airplane, hotel or other public site, especially over an unsecured network, remind clients never to check bank balances, login to credit card or other accounts, or share important personal information. These can easily be stolen.

A final aspect of cybercrime protection that advisers and clients alike should consider is the client’s liability and umbrella insurance coverage. These policies vary greatly in their protection. But since clients of advisers typically have greater financial assets and more to lose than other victims of cybercrime, holistic financial advisers should be aware of the cybercrime coverage provided by their clients’ liability insurance, and review whether it is comprehensive and adequate.

Clients of advisers typically have greater

financial assets and more to lose than other

victims of cybercrime.

Because of the growing cybercrime problem, some carriers now include services such as notification and assistance with filing a police report; creating a fraud affidavit and developing a comprehensive case file for investigative and claim handling purposes; assistance with documentation and phone calls needed to resolve a case; and comprehensive disaster recovery that can include emergency authentication and coordination with aid organizations, and retrieving, replacing or recreating lost or destroyed legal financial or personal identification documents.

Specific advice for small-business owner clients Because of their wealth and their greater activity online, owners of small businesses are among the most attractive targets of cybercriminals. When preyed on by cybercriminals, small-business owners can find that their personal as well as business information and resources are threatened.

Here are some guidelines and suggestions that advisers can pass along to their small-business-owner clients to help reduce the risk of a cybersecurity breach in their business — which could well result in danger to their personal information and wealth.

• Act immediately. Should a cyber-incident occur, it’s critical that small-business owners execute their response plan and promptly notify authorities in the event of breaches of personal information.

• Do thorough background checks of potential employees. Small-firm employees often have access not only to business information, but also personal information of the owner. Since experts believe that employees are accounting for a growing share of cybercrime, it is important to do criminal and background checks of all potential employees.

• Encourage owners to have a response plan. Before any event occurs, small-business owners should prepare an incident response plan that designates the individual within the business who will take charge if a cyber incident occurs. The plan should include the names of experts prepared to provide legal advice as well as assist with assessing the extent of the incident. It also should include specific steps to halt and block the intrusion.

• Protect data. Stress the importance of using updated antivirus software to protect against viruses, and recommend that they regularly backup data and store it offline.

• Remain compliant. If your client’s business accepts credit-card payments, remind them to work with their bank or payment card processor to make sure they are compliant with the Payment Card Industry Data Security Standards. If the business stores personal health information, remind them to review the regulations of the Health Insurance Portability and Accountability Act.

6 Cadaret, Grant & Co., Inc.

• Train staff. Many cyber incidents may be preventable through employee training and preventive measures such as not opening emails or attachments from an unknown source. Most people don’t think about cybersecurity until a breach occurs. Regular training can help maintain alert levels. Create and explain communication procedures, particularly those that deal with financial movement and verifying client requests.

ConclusionCybersecurity is a word that few veteran advisers were aware of not so long ago. Today, however, they are not only familiar with the term but realize it is essential for their clients’ financial well-being and their own business success.

Because of its importance, cybersecurity demands the attention of advisers. Using the tools and resources increasingly available to them, advisers must integrate cybersecurity into their business and treat it as the priority it has become.

An adviser’s guide to cybersecurity 7

Independent thinking.

About This White PaperThis white paper was co-developed by Cadaret, Grant & Co., Inc. and InvestmentNews Research in February 2017.

About Cadaret, Grant & Co., Inc.

Cadaret, Grant & Co., Inc. is a privately-owned independent broker/dealer, based in Syracuse, New York. We have been servicing over 900 independent financial advisors in branch offices nationwide for more than 30 years.

As a leader in the broker/dealer industry, we offer advisors stability, tools to grow their practice, unparalleled customer service, and the best technology in the broker/dealer world. We make decisions based on the needs of advisors and the way they want to serve their clients.

We have found that advisors today are looking to re-declare their independence. And, they are doing it at Cadaret, Grant. Please contact Cadaret, Grant Recruiting for more information at 800.288.8601 or visit us at www.cadaretgrant.com. Cadaret, Grant is a member of FINRA/SIPC.

About InvestmentNews Research and IN Content Strategy Studio

The mission of InvestmentNews Research is to provide financial advisers with the industry’s most informative practice management studies and benchmarking reports. Our benchmarking studies are a leading source of market intelligence for advisory firms and industry partners, such as custodians, broker-dealers, service providers and professional organizations.

In 2009, InvestmentNews acquired two bellwether benchmarking studies from Moss Adams LLP – the Adviser Compensation & Staffing Study and the Financial Performance Study of Advisory Firms. We continue to improve and expand these two critical industry studies, while we have also introduced new studies on technology and succession planning, which support the growth and development of financial advisory firms.

In tandem with our IN Content Strategy Studio (INCSS), InvestmentNews Research is now developing custom studies, reports and white papers for some of the industry’s most influential companies. INCSS has focused on creating insightful, unique content that empowers advisers and provides firms that support advisers with assistance in understanding – and engaging with – this important audience.

For more information on InvestmentNews Research or IN Content Strategy Studio, please contact Mark Bruno at mbruno@investmentnews.com.

Owned by Crain Communications Inc., InvestmentNews is the premier provider of news, data, research and events to the financial advisory industry. Through our weekly newspaper, website, data centers, benchmarking reports and conferences, we provide industry-leading tools and resources that allow financial advisers to learn more about their businesses, clients and competition.

RESEARCH

8 Cadaret, Grant & Co., Inc.