Investment advisers are beefing up cyber security to meet strict new regulatory requirements and, in some cases, client demands.
Following a 2014 Securities and Exchange Commission directive on cyber security, registered investment advisers are expected to bring in new practices to protect clients’ money and data from hackers.
These include training staff, carrying out cyber risk assessments and updating lists of people with access to internal networks. Many advisers say they are going beyond the requirements. Some have contracted consultants to perform penetration testing — known as friendly hacking — on their networks. Others use CIA-grade encryption to protect data.
“We see it as a market differentiator in some ways,” says Jeffrey Powell, managing partner of California-based Polaris Greystone Financial Group, a registered investment adviser in the FT 300 list.
Polaris Greystone’s own additional security measures require clients to answer a private security question — such as “What was your wife wearing on your first date?” — in addition to providing details such as social security numbers, birthdays or signatures. Mr Powell says that additional safety measures are an important factor for many clients.
The SEC’s inspectors began probing investment advisers last year to make sure they were addressing the hacking threat. This was after a 2015 report by the commission’s Office of Compliance Inspections and Examinations revealed that 74 per cent of investment advisers in one examination had suffered cyber attacks. It also found 43 per cent had received fraudulent emails requesting a transfer of client funds. One adviser lost $75,000 of a client’s money because of an email scam, but repaid the client when staff realised their mistake.
In September, the SEC announced charges against St Louis-based RT Jones Capital Equities Management for failing to protect the personal data of 100,000 people, including the firm’s clients. RT Jones agreed to pay a penalty of $75,000. No one reported financial harm as a result of the hack and the company offered free credit monitoring services to people whose details had been compromised.
The offence, the commission said, was in RT Jones’ failure to have written policies and other measures such as a firewall or encrypted personal data on its server.
“The only thing that’s worse than not having policies and procedures is having policies and procedures but not following them. That’s where the SEC will step in,” says Jay Baris, chair of investment management at law firm Morrison & Foerster.
“One of the bigger changes is in documenting our process better,” says Nathan Howard, chief compliance officer at the Moneta Group. He adds: “The future is technology and with technology come risks. We have to be able to prove that we care.”
Colleen Brown, a partner at law firm Sidley Austin, says the new requirements have driven a sense of ownership of cyber security in many companies, especially smaller ones. For example, Ms Brown says, most investment advisers have historically outsourced data management. The regulatory and legal liability accompanying the SEC’s directives have raised the profile of a matter that had once been considered a vendor’s responsibility, she says.
Advisers are looking at the risk posed by third parties, another factor the SEC is examining. Other regulators, such as the Financial Industry Regulatory Authority and the New York State Department of Financial Services, have turned their attention to external providers.
“Advisers . . . want to make sure they are doing due diligence on whom they are connected with and to whom they have entrusted data,” says Rajesh De, a former general counsel of the National Security Agency who is now head of the cyber security practice at law firm Mayer Brown.