If there was ever an industry that's required to protect data, it's financial services.
Customers rely on brokerages, advisors, accountants and even insurance agents to keep their information safe, secure and confidential.
Well before the stay-at-home mandates of the pandemic, state regulators and the Securities and Exchange Commission were issuing stronger guidelines for financial advisor cybersecurity.
"The SEC's Office of Compliance Inspections and Examinations has made it crystal clear that cybersecurity is a priority. And with good reason," says Andrea McGrew, chief compliance officer and chief legal officer at USA Financial, an independent broker-dealer headquartered in Ada, Michigan.
"A data breach can be devastating to investors and can have a far-reaching impact," McGrew says.
Mike Pedlow, executive vice president and chief compliance officer at Austin, Texas-based Kestra Financial, says financial companies should anticipate specific measures to attract regulatory attention. Those include "multifactor authentication, which verifies someone's identity by sending a code via text message before allowing access to sensitive information," he says.
Other items on the regulator's radar include encryption of emails and data files.
"This keeps your clients' private information secure, even if there is a breach," says Pedlow, whose firm provides technology and consulting services to financial advisors. He also says regulators are looking for secure wireless networks and "complex and unique passwords. Don't use your Netflix password!"
Pedlow points out that a security breach outside an advisor's firm can also affect the firm's clients.
"Recently, we had a scenario where (the email of) a client's attorney was infiltrated because a junior employee of the law firm used the same password for their work email and one of their local service providers," he says.
"The local service provider was breached, and the criminal was able to access the law firm email. The criminal watched email traffic long enough to understand language patterns, the people involved, the forms used and the timing of distribution requests," Pedlow says.
After observing the patterns for a while, the criminal made a fraudulent fund distribution request. "When our financial professional called to verify the instructions, the junior employee confused their actual request with the fraudulent request , and the money was sent to the criminal's account instead of the client's," Pedlow says. "In this case, we caught the error quickly and were able to recover the funds, but that is not always the case."
State and federal regulators are looking closely at risk mitigation. During firm audits, examiners want to see evidence of systems to prevent breaches or to quickly identify when a breach occurs.
Examiners want firms to be proactive about implementing cybersecurity systems, says Mark Alcaide, senior managing director at compliance consultancy Foreside, which is headquartered in Portland, Maine.
"First and foremost, regulators want to have confidence that an advisory firm understands its cybersecurity risks based on its business model, types of clients and key vendors" Alcaide says. "Has the firm performed a cybersecurity risk assessment? Has the firm taken reasonable steps to mitigate its known cybersecurity risks?"
One example he gives is that many firms in a remote work environment are leveraging video meeting services like Zoom.
Alcaide notes that the FBI in late March issued a warning regarding multiple cyberbreaches on Zoom, also known as "Zoombombing," and highlighted steps firms should take when using the online conference app.
When looking at an advisory firm's commitment to cybersecurity, regulators want to see robust policies and procedures, staff training and regular testing of systems to identify possible holes.
"Of course, it doesn't help if you conduct tests and train staff without also maintaining adequate documentation of those tests and training sessions," Alcaide says.
He adds that regulators are focusing on human behaviors that contribute to or mitigate data vulnerability.
One problem is phishing, which involves the use of emails designed to look like they come from a trusted or reputable sender to steal personal information Often, these emails appear genuine, causing firm employees to divulge confidential information, such as account numbers or passwords.
Alcaide says the rise in phishing attempts creates a renewed focus on advisors being vigilant, in addition to strong systems and spam filters.
McGrew also emphasizes the need for advisors and their employees to be cognizant of risks and not simply rely on software. She has witnessed situations where firms had proper protocols and systems in place, but they were not followed.
[READ: Q&A: Riskalyze.]
For example, she says, best practices dictate that financial advisors confirm any email distribution requests from clients verbally. That is an additional safeguard against phishing or other fraudulent behaviors. It's a matter of the advisor or a staff member simply calling the client to verify that he or she did, indeed, email a request for a withdrawal or transfer.
"When that practice is not followed, bad actors can obtain the keys to the kingdom," she says.
She cites one situation in which a financial adviser received an email from what appeared to be a known and verified client email address. In the email, the client requested a withdrawal of $150,000, saying his bank account information had changed. The email also provided a fax number, so the advisor could send paperwork authorizing a distribution to the new bank account. That's a necessary step, but the advisor failed to call the client to confirm the request.
McGrew says the email address was actually wrong, but the advisor missed it.
"The client's original and legitimate email domain started with a 'w.' All subsequent emails were sent from an identical email address with one small change: The domain name started with 'vv.' An almost indiscernible, but devastating change," she says.
It was an easy scam to perpetrate, as people don't often scrutinize every letter in an email address. In this case, the fraudster completed the new direct deposit form and provided a voided check for the new account. McGrew says the $150,000 was sent from the client's brokerage account to the new account.
"The client noticed the unusual activity and called the financial advisor. The client was devastated, as was the financial advisor. And the entire situation could have been mitigated by making one simple phone call," she says.
The extra steps and layers of security may be a hassle, but it's worth taking these measures, Pedlow says.
"It may seem like a pain to follow security protocols, but I can assure you that it is nothing compared to the pain and embarrassment of having to notify your clients that you exposed their information because you didn't follow your firm's policies or didn't take simple precautions," he says.
More From US News & World Report