With so many wealth management advisors based at home rather than in the office, it's understandable that there is widespread concern about how robust IT is. The cybersecurity stakes have become more urgent. This article explains some of the issues.

This news service has already examined cybersecurity threats arising from the trend of working from home, accelerated by the COVID-19 pandemic. In this article, we have comments from Paul Dalton, chief technology officer, and Stacy Sizemore, chief compliance officer at tru Independence, the US-based consulting and services platform for wealth management firms. The editors are pleased to share these insights and invite replies. The usual editorial disclaimers apply. Email tom.burroughes@wealthbriefing.com and jackie.bennion@clearviewpublishing.com

The necessity of working from home following the coronavirus pandemic triggered new cybersecurity and compliance risks for financial advisors. 

According to a recent survey by the security and compliance firm OS33, only 15 per cent of advisors passed a cybersecurity and compliance test for crucial security and compliance points identified in a recent FINRA cybersecurity alert. 

In addition to the already stringent measures, many smaller, independent firms don’t have their own IT or compliance departments considering how to address these risks 24/7. As firms work remotely, financial advisors need to be mindful of new cybersecurity and compliance threats and take steps to combat them in the wake of the coronavirus.  

Potential security breaches
Because nearly everyone is working from home, cybersecurity concerns for advisors tend to look different in the age of the coronavirus. As a result, it’s critical to be cognizant of potential breaches while working from a new environment. 

Connecting to a public Wi-Fi is one obvious example. Using personal or shared family devices, a lack of enterprise-level file security, or being unable to connect via VPN can also make advisors and their clients vulnerable to infection from malware targets. Inadequate home internet security, few or zero controls around data egress, or using out of date technology pose additional risks. 

Advisors should keep in mind that if they speak too loudly about a client while working in their apartment, there is a possibility that neighbors could hear through thin walls. 

If advisors leave their computer unlocked and unattended, their children could accidentally transfer money to the wrong source. Downloaded files with a client’s personal identifying information on a shared family computer could result in a potential breach if an advisors’ children use that computer for homework. 

What’s more, if downloaded client documents are never deleted from the “downloads” folder, and another family member or child brought the said computer to a public area with unsecured Wi-Fi, those documents risk exposure. As advisors participate in an increased number of video calls, it is important to be aware of what is visible on screens. Accidentally sharing a screen with a client could risk leaking another client’s private information.

Mitigating risks
For advisors, the first line of defense against cybersecurity and compliance breaches is to be aware of the potential threats; the second is to take steps to help you stay protected. 

The most effective way to mitigate risks to both cybersecurity and compliance is education. If your company does not already have cybersecurity and remote work training in place, work with your team to enact them. For both advisors and clients, it is essential to update computers frequently, make sure that anti-virus software is up-to-date, and always use a VPN to secure the internet connection. 

Advisors should also be prepared to comply with standards set by SEC and FINRA, in which regulators could ask firms for a copy of business continuity plans (BCPs) at any time. 

As firms scramble to update their models, it is imperative to know that you could receive a request at any time, and it will need to fit the COVID-19 work from home procedures. 

In addition to being aware of cybersecurity threats, advisors must be able to demonstrate what they are doing to mitigate security risks. Regulators want to see that advisors have enacted a plan and can demonstrate that they have updated it to fix any holes that are found as a result of working from home.  

As advisors limit face-to-face interactions with clients and communicate digitally, they need to keep proper documentation procedures in place for every type of communication. 

For example, all emails, social media communications and even texts with clients and prospects should have clear archive procedures. And advisors should communicate all cybersecurity precautions and warnings to their clients to help protect both sides.

As the coronavirus crisis escalates, it’s critical that technology and compliance officers continue to remind employees of the firm’s technology and privacy policies, particularly their fiduciary duty to fervently guard clients’ personal information.