A compliance officer knows that he or she must consider third party risks in any assessment. As the threat landscape has changed, third-party risk has become more and more focused on information security. The need for initial and ongoing due diligence of critical third parties is understood and should be part of your program by now. But what about your customers? The Division of Investment Management’s Guidance (“DIM”) suggests that you “may wish to educate investors and clients about how to reduce their exposure to cybersecurity threats concerning their accounts.” How then can you comply with DIM’s recommendation and help your customers become more secure?
Obviously, it is more difficult to enforce granular IT controls on your customers than it is on your vendors. Your vendors would like to do business with you, and they understand that if they don’t meet your expectations, you will look elsewhere. On the customer side, if you push too hard for security and make accessing information inordinately difficult, they may look for someone who not only accommodates their needs but is less demanding. Regardless we hear from Advisors all the time that hacked customer email accounts are regularly the source of potential scams and represent a significant vulnerability to any organization
Lax security practices for clients can extend beyond simply losing control of an email address. Often times, a customer’s entire identity (including social security number, etc.) have been compromised, making it very difficult for the adviser to ferret a fraudulent transaction. Certainly, the principals of “Know Your Customer” can make determining a fraudulent request easier, but wouldn’t it be better if the attempted fraud had been thwarted by a more diligent customer, so the threat never even hit your company’s desk?
Of course, we’d all like to think that customers will protect themselves perfectly, all the time. But this is wishful thinking since you will never be able to get every customer onboard with security best practices. Nevertheless, you must convince customers of the necessity to secure themselves, which fortunately has become easier over the last several years as they have been confronted daily with news of data breach, extending from the largest companies and insurers down to the smallest mom-and-pop shops.
In order to capitalize on your client’s awareness of these breaches, you should consider a very high level program of cybersecurity awareness. We would recommend taking the time to develop a one page explanation of what you, as a firm, do to protect their information. This can include a brief explanation of your Regulation S-P and S-ID obligations as well as a very high-level description of the steps you take to provide a secure environment. But remember to never disclose anything specific about your security infrastructure, as it could provide an avenue for attack. Very few customers are interested in hearing your patching practices and anti-virus implementation. Hackers, on the other hand, will be very interested in such information.
Once you have outlined what you do to protect yourself, take the opportunity to discuss what your customers can do to protect themselves. For instance, if your company does not provide online access, you should confirm that your customers know the proper procedures for requesting wires and general funds disbursements. They should know how you will contact them and that you will NOT transfer their funds if you have any concern about the validity of the request. If you accept email requests for fund transfers or other account changes, you should inform clients of your procedures for out-of-band validation and confirmation, and make sure all is clear.
Obviously, if your firm does offer online access to a portal, the convenience factor to your clients increases, but so too does the risk of a security breach or financial loss occurring as a result of a loss of credentials. Customers must be made aware that their general online behavior can have a potential impact on the security of your firm’s online portal. In order to help keep your company’s network and portal secure, your clients must practice good general cyber-hygiene.
At the very least, we recommend that you remind your clients of the following:
- Use strong passwords and change them frequently;
- Do not share passwords across sites;
- Do not use any part of a social security number or other easily identifiable information as titles up as part of a password (this includes children’s names, pet’s names, etc.); and
- Make sure that their computer has an up-to-date and patched operating system.
With respect to your specific online interactions with your clients, we recommend that you remind them of what information you will and will not ask for in an email, as well as what they should do if they suspect that their password accessing your site has been compromised.
While these reminders may seem simplistic to the compliance officer or technology officer who deals with them on a daily basis, you need to remember that most people still need these basic guidelines. By starting at a level that is accessible and understandable to everyone, you will be more likely to achieve buy-in from your customers. When customers begin to take their online security into their own hands, your firm will be stronger and more secure as a result of it. Taking steps today will align your program with the DIM guidance and will put you at the front of the pack in terms of customer cybersecurity engagement. And it will reflect favorably with both regulators, who will see your efforts to protect your customers in line with the new regulatory expectations, and potential customers, who will respect and grasp the seriousness with which you secure their personal information.