RIAs face a hazy and disparate regulatory landscape when it comes to cybersecurity, Norb Vonnegut writes in the Wall Street Journal. In such an environment it’s best to be proactive. If a data breach does occur, RIAs must do more than offer free credit monitoring, he writes.
The SEC requires advice firms to have reasonable safeguards to secure clients’ private data, Brian Hamburger, chief executive of compliance consulting firm MarketCounsel, tells Vonnegut. But there’s no definition of what those safeguards are supposed to be, according to Hamburger. At the same time, state regulations on cybersecurity measures vary, Vonnegut writes. That means advisors who suffer a data breach may have to tell their clients in one state something different than what they tell their clients in another state, he writes.
Nonetheless the SEC, Finra and state regulators have gone after wealth management firms for data breaches, Hamburger tells Vonnegut.
Last summer the SEC fined Morgan Stanley $1 million for failing to supervise an advisor whose home computer was hijacked after he transferred data on around 730,000 customer accounts to it even though the firm says no fraud occurred as a result of the breach. The wirehouse offered the affected clients credit monitoring and identity theft protection services.
Even in data breaches without an immediate financial loss, advice firms must be prepared for a more sophisticated attack later on, Alex Tilley, who heads electronic intelligence at SecureWorks’s Counter Threat Unit, tells Vonnegut.
Following an attack, therefore, it’s not enough to tell clients that the firm will pay for credit monitoring, Vonnegut writes. Hamburger suggests that RIAs be included on the reports so they can monitor clients’ accounts as well. In addition, firms may want to break down how they’re looking for the source of the attack as well as outline cyber security measures at their firm as well as at third-party partners, he tells Vonnegut.
But a better way to stay on their clients’ good side is to not have to explain why the firm lost their data in the first place, according to Vonnegut. For starters, advice firms can offer to pay for their clients’ digital password managers, he writes.