Every week — and sometimes daily — Andy Zolper, chief information security officer at Raymond James Financial, receives inquiries from clients directly or through their advisers concerned about how the investment services company handles their data.
Many callers are business managers who face similar questions from their own customers. Some have experienced a cyber breach, while others are less knowledgeable. “But, boy, are they anxious because they’ve seen these issues in the media,” Mr Zolper says.
Broker-dealers are facing mounting pressure to secure their customers’ data as investors and regulators gain a greater understanding about the risks of cyber theft.
“Historically, breaches are [often caused by the fact that] that companies thought they had protective measures but somewhere along the line they stopped working . . . and the bad guy exploits the gap,” Mr Zolper says.
Security at broker-dealers is made more difficult by the nature of the money management industry: most investment companies are made up of a geographically vast and decentralised network of individual investment advisers. This makes it difficult to ensure all are following data management policies. Companies are trying to overcome this in several ways.
For example, Raymond James’s financial advisers are divided into two categories: employees and independent advisers. Employees use computers and other equipment supplied, configured and run by the company, which means their data are easier to secure and monitor. Independent advisers are trickier to manage, Mr Zolper says. The company’s solution is to require these advisers to install cyber security programs on their own equipment, which is then monitored by the company.
Broker-dealers’ security concerns are compounded by the fact that most outsource the hosting of data to third parties, which may or may not comply with their clients’ security policies. Regulators have made it clear, however, that brokerages are liable for the mismanagement of data by individual money managers and by cloud data storage vendors.
Broker-dealers are required by the Financial Industry Regulatory Authority, the industry watchdog, to devise procedures for employees and third parties to protect customer information and to make sure these policies are followed.
In November Finra fined broker-dealer Lincoln Financial Securities $650,000 for failing to do just that. Not only did Lincoln have weak third-party controls, but lax security policies left the company open to a cyber breach in 2012, in which 5,400 customers’ personal and financial information was vulnerable, Finra alleges.
Lincoln settled the matter without admitting guilt and says it is unaware of any harm caused to customers as a result of the 2012 intrusion.
Attorneys expect regulators to keep the heat on finance companies, especially over how contractors manage their clients’ data. Aside from Finra, third-party vendors have also been identified as a significant source of cyber risk by the US Securities and Exchange Commission, the New York Department of Financial Services, the US Office of the Comptroller of the Currency and the UK’s Financial Conduct Authority.
According to Jeremy Feigelson, head of cyber security at law firm Debevoise & Plimpton, Finra’s disciplinary action against Lincoln sent a “very tough message” to broker-dealers. “If you’re running the mother ship company, your responsibilities don’t end at the perimeter of corporate headquarters,” he says.
Mr Zolper says his company and others in the industry visit their vendors’ offices to investigate their security practices and even use on-site closed-circuit television cameras to monitor security at some vendors.
Regulators are also concerned about whether broker-dealers and their vendors are storing customer data in a format that prevents them from being tampered with. In December Finra fined 12 broker-dealers a total of $14.4m for leaving hundreds of millions of customer records open to manipulation by cyber thieves due to the way they were stored.