Reducing the greatest cyber security risk -- the one from within

NEW YORK(Thomson Reuters Regulatory Intelligence) - The greatest cyber security risk to an investment advisory firm may be its staff, therefore a training and education program that addresses relevant cyber threats is vital.

A stock broker's fingers feverishly key in the day's proceedings on a computer keyboard, at a brokerage firm in Bombay May 19, 2004.

In 2019, investment advisers must, among its most important cyber security steps, train staff to identify phishing emails, secure and protect company devices and take steps to verify the movement of client funds.

The increased use of automation and reliance on electronic communications can cause a firm employee to unknowingly allow an unauthorized party to access company systems and ultimately access client’s non-public information or funds.

Therefore, a firm that includes the education of firm staff in the firm’s overall plan against cyber-attacks will be best prepared to keep the firm’s infrastructure intact.


Cyber security is one of the greatest risks currently facing the financial-services industry, and a perennial examination priority for the Securities and Exchange Commission.

The SEC has prioritized cyber security during adviser examinations with an emphasis on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.

Specifically, in the 2019 exam list{here}, the SEC has added emphasis on the cybersecurity practices of investment advisers with multiple branch offices, including those that have recently merged with other advisers.


The forms of electronic communication have expanded; however, email continues to be the primary channel for most investment advisers.

Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company and ask you to provide sensitive information.

A firm’s email administrator or system may not always identify these types of emails, therefore firm associates must be able to recognize them before any action is taken. In many cases, once the sensitive information is given to the scammer, they will then have access and be able to use account numbers, passwords, usernames, and more to commit fraud.

A firm’s associates should be aware of suspicious emails that do not use the individual’s name, for example if a bank or brokerage firm was notifying an individual of an issue, the firm would know and use the customer’s name.

Also, the sending email name should match the sender. Therefore, ensuring the senders email in the header matches the display name is prudent.

In addition, a phishing email will often be unsolicited or unexpected and contain grammatical or spelling errors and unnecessary capitalization. A firm individual must be weary of attachments or links as well. An unexpected attachment or prompted download can inadvertently install malware or ransomware.

When a link is present, it’s always best policy to open a new browser tab and manually search and access the link in a personal browser.

Lastly, a firm individual must alert the compliance department or proper authority once a phishing email is identified and phishing attempts can also spill into social media, so diligence must expand beyond email.


Investment adviser staff use multiple devices to service their clients. Many individuals will have a personal or firm-issued smartphone and laptop. Both of these devices may have access to nonpublic information of its firm and clients.

Therefore, staff must take certain steps to ensure it is safe and always secure. For example, an individual must be aware that it cannot sit unattended at a coffee shop or even in some areas of the firm’s office.

Adviser staff must use a strong password. A strong password will reduce the risk of it being cracked and used for fraudulent activities. The maintenance of strong passwords includes not using a similar one across all platforms and never storing the password in writing or in the individual’s web browser.

Lastly, a representative with firm-connected devices should ensure the anti-virus software is installed, up-to-date and active on all devices.


The movement of client’s funds is risky without proper verification of identity. A properly authorized adviser can instruct a custodian to issue checks, move money to different accounts within the custodian and even request a third-party wire or check, with certain exceptions.

The authority of this nature requires the advisory firm and it’s representative to perform proper due diligence before acting on any fund transfer. This goes hand in hand with phishing emails because, clients of investment advisory firms are frequently having their email accounts compromised and sophisticated hackers are immediately targeting the victim’s financial adviser.

Therefore, an individual must review all fund transfers with fraud in mind. A firm’s procedures may require its representatives to confirm verbally all wire requests. This is especially important for third party wire requests.

A firm individual must also be careful of any request done via electronic communication or ones that exhibit suspicious behavior.

A wire that doesn’t match the customer’s usual form of communication, the amount is atypical for the client or the request exhibits an overly high sense of urgency may also require further review and investigation to prevent fraud.

(Jason Wallace is a senior editor for Thomson Reuters Regulatory Intelligence. Email Jason at

This article was produced by Thomson Reuters Regulatory Intelligence - - and initially posted on Jan. 22. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters