Could One Cyber Threat Take Down Your Practice?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://wealthmanagement.com/blog/could-one-cyber-threat-take-down-your-practice

The data breach that hit Target late last year caused a flurry of concern
over cyber security at institutions that hold client and customer
information. But large companies such as Target may actually be better off
than registered investment advisors--most of whom are small business owners,
speakers at an SEC panel alluded to on Wednesday.

"I think the risks to IAs, in particular, is kind of scary because one data
breach could bring down an IA, I think very quickly because of the kind of
notifications and the kind of relationships they have with their clients,
and the integrity," said John Reed Stark, managing director at cyber
security firm Stroz Friedberg.  "There's really a direct correlation, as
opposed to a retail data breach, where you may still shop there afterwards.
But if you're money is in custody of someone and they're handling your
wealth and suddenly it's at risk, you might feel differently."

Eighty-eight percent of SEC-registered investment advisors have 50 of fewer
employees, while 58 percent of them have 10 or fewer employees, said David
G. Tittsworth, executive director and executive vice president of the
Investment Adviser Association.

"Typically those smaller firms don't have the resources the larger firms
have," Tittsworth said, during the panel.

Some of IAA's larger members, particularly on the institutional side, are
members of the Financial Services Information Sharing and Analysis Center,
which shares threat intelligence among its members, Tittsworth said. These
larger firms are cooperating with other big players in the industry and
government, having robust dialogues about cyber threats and what to do
about it.

"These smaller firms--there's nothing that is equivalent to that," he added.
"I think we need to do more."

Finding the personnel to handle security breaches is particularly
difficult--even for larger firms, Stroz Friedberg's Stark said. There are no
incident response schools you can turn to for recruits, and there are only
a few master's programs on the subject.

"It's a new breed of professional, and there's a huge shortage among them,"
he said. "So to expect an IA to have some sort of incident response
infrastructure in place with personnel is a big expectation, even if they
want to."

One emerging threat, Stark pointed out, are the more stealth cyber attacks,
where intruders aren't leaving any evidence that they were there. This type
of attack will be new territory for investment advisors and broker/dealers.
They're looking intellectual property, inside information, or identities of
people to use in other ways than just financial.

"Picture it this way: You come home, and you think your house has been
robbed; and nothing is out of place and nothing's missing," Stark said.
"This is what a lot of these attacks are like."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!