A weak link in many financial advisers’ cybersecurity plans is the outside companies that help run their businesses, such as payroll companies and computer-repair firms.
Advisers want to focus on delivering great service to customers, so vendors' cybersecurity practices are often not top of mind, said John Brady, head of information security at the Financial Industry Regulatory Authority (FINRA), at a recent conference.
“In a lot of cases, they're trusting their vendors to look out for their best interests,” Brady said.
That trust could be costly. Data breaches can require expensive notifications to customers and payments for credit monitoring services, along with bills from lawyers and technology experts.
FINRA, Wall Street’s industry-funded watchdog, requires the more than 4,000 brokerages it oversees to supervise their vendors. The U.S. Securities and Exchange Commission, which oversees investment advisers, has issued guidance on how firms can monitor vendors.
An SEC examination of 57 broker-dealers and 49 registered investment advisers revealed that most had experienced cyber-attacks directly or through their vendors, according to a February report.
What is more, 30 percent of 40 banking organizations surveyed by the New York Department of Financial Services did not appear to require outside vendors to notify them of breaches, according to an April report.
For extra security, consider the following measures for vendors that have access to your firm’s most sensitive data.
1. Visit their offices to get a first-hand look at security. Check for cameras and make sure employees wear badges, said Joseph Rivela, chief strategy officer and co-founder of Breach Intelligence Inc, a New York City-area information-security consulting firm.
2. Make sure your cyber-security insurance covers your damages from vendors' information-security failures. Insurers, however, will still likely expect you to do your part in monitoring, Rivela said.
3. High-risk vendors, such those that access client data, should let you know if they hire a subcontractor. And you should require in contracts that policies you set for vendors extend to their subcontractors. For instance, if your vendors' employees must have background checks, their subcontractors’ employees should too. Depending on the risk level of certain vendors, you may even want to prohibit some from using subcontractors, said Rocco Grillo, who heads a global information security unit at Protiviti, a division of California-based Robert Half International Inc.
4. Consider getting warranties from vendors that promise they will use virus protection. Benjamin Lawsky, New York's financial services regulator, expects to propose a rule this year that will require banks to get warranties from vendors about cybersecurity protections they have in place.
5. Include vendors in plans for responding to breaches. For example, note the cellphone number of your vendor’s IT person. Role-play a data breach with vendors to see if there are weaknesses in their responses.
Finally, make sure you have a back-up company in place to take over if you have to quickly cut ties with a vendor.
"It's not easy to just pull the plug," said Grillo.
(Reporting by Jennifer Cummings; Additional reporting by Suzanne Barlyn; Editing by Suzanne Barlyn and Steve Orlofsky)