October: A Time for Cybersecurity Awareness in Wealth Management

As the leaves turn and the air grows crisp, October ushers in a season of spooky festivities. Yet, for IT specialists in the wealth management sector, the specter of cyber threats looms year-round. While children don costumes and knock on doors in search of treats, cybersecurity professionals are on high alert, guarding against the ever-evolving tactics of cybercriminals. This article delves into the pressing cybersecurity challenges faced by the wealth management industry, particularly in the context of the alternatives space, and offers insights from industry experts on how firms can bolster their defenses.

The Growing Cybersecurity Landscape

In recent years, the wealth management industry has witnessed a significant uptick in regulatory scrutiny and cyber threats. As regulators implement broader guidelines, firms must navigate a complex landscape of compliance while safeguarding sensitive client information. The alternatives space, which includes hedge funds, private equity, and other complex investment vehicles, has become particularly attractive to retail investors. However, with this growth comes heightened concern over cyber risk, which is now ranked among the top worries for both investors and asset managers.

October is designated as Cybersecurity Awareness Month, a timely reminder for all online users to remain vigilant against digital dangers. Cybersecurity is inherently challenging, as human error often undermines even the most sophisticated defenses. Financial services firms must continuously evaluate their cybersecurity technologies, protocols, and controls to meet stringent regulatory standards and defend against increasingly sophisticated cyberattacks.

Identifying Vulnerabilities: Insights from Industry Experts

To better understand the cybersecurity landscape, we consulted three industry specialists who shared their insights on common vulnerabilities and strategies for improvement.

John Messinger: The Hidden Risks of Productivity Tools

John Messinger, Information Security Officer at FusionIQ, emphasizes the often-overlooked risks associated with productivity and coordination applications. Many firms focus on traditional vendors when assessing risks but neglect “free” or low-cost third-party applications. These tools, such as meeting request platforms, CRM integrations, and browser extensions, can access sensitive data, potentially storing it outside the company’s approved infrastructure.

For instance, a browser extension designed to enhance writing may inadvertently access sensitive client information. To mitigate these risks, Messinger advocates for stricter policies regarding the vetting and approval of third-party applications. Firms should limit the use of such tools, regularly review app permissions, and educate employees about the potential dangers associated with seemingly innocuous productivity applications.

Robert Jersey: The Importance of Routine Audits

Robert S. Jersey, CEO and President of Gar Wood Securities, highlights the pervasive nature of cyberattacks across industries. With sensitive information at stake, it is crucial for firms to conduct routine self-audits and third-party audits to ensure robust security protocols are in place. Clients expect reassurance that their data is secure, and in the event of a breach, they want to know that measures are in place to protect them.

Jersey also stresses the importance of regularly reviewing staff access to personally identifiable information (PII). Limiting access to sensitive data reduces the likelihood of unauthorized individuals obtaining it, thereby enhancing overall security.

Sander Ressler: The Need for Vendor Audits

Sander Ressler points out that while self-audits of cybersecurity technologies and protocols are generally effective, they often fail to adequately assess the security measures of vendors providing critical platforms for broker-dealers (BDs) and registered investment advisors (RIAs). Vendors can present unique vulnerabilities, as they often have access to a firm’s proprietary data.

Ressler urges firms to inquire about and review breach reports and security concerns related to their vendors. By scrutinizing the cybersecurity practices of third-party providers, firms can better protect their data and mitigate potential risks.

Addressing Cybersecurity Gaps: Strategies for Improvement

As firms navigate the complexities of cybersecurity, several strategies can be employed to address identified gaps:

1. Implement Stricter Vetting Processes: Establish comprehensive policies for evaluating and approving third-party applications to minimize risks associated with productivity tools.

2. Conduct Regular Audits: Schedule routine self-audits and third-party audits to assess the effectiveness of security protocols and ensure compliance with regulatory standards.

3. Limit Access to Sensitive Information: Regularly review staff access to PII and implement role-based access controls to reduce the risk of unauthorized data exposure.

4. Engage with Vendors: Actively review and assess the cybersecurity practices of vendors to ensure they meet the firm’s security standards and protocols.

5. Educate Employees: Provide ongoing training and awareness programs to equip employees with the knowledge and skills necessary to recognize and respond to potential cyber threats.

Conclusion

As October brings a heightened awareness of cybersecurity risks, it is essential for firms in the wealth management industry to take proactive measures to safeguard their data and maintain client trust. By addressing vulnerabilities, conducting thorough audits, and fostering a culture of cybersecurity awareness, firms can better navigate the challenges posed by cybercriminals and regulatory pressures. In this ever-evolving landscape, vigilance and preparedness are key to ensuring a secure future for both firms and their clients.