Aponix Financial Technologists logo

Financial Advisors Cybersecurity Risks: Aponix Financial Technologists Comments on NASAA Survey

Print
| Source: Aponix Financial Technologists

NEW YORK, Sept. 15, 2014 (GLOBE NEWSWIRE) -- Aponix Financial Technologists applauds the North American Securities Administrators Association (NASAA) for conducting their recent cyber-security survey of small investment advisors. The results of this survey indicate a number of misconceptions of cyber-security risks and terminology by small investment advisors, and a lack of awareness of their own cybersecurity incidents.

The survey found that only 4.1% of the participants were aware that they had suffered a cybersecurity incident, and only 1.1% had knowledge of theft or loss of data as a result of such breach. In light of the TrendMicro study reporting that 78% of organizations have suffered a breach over the past two years, the gap in awareness that the study suggests is stunning. This gap is largely driven by the fact that the average survey respondent had only three employees. Firms this size generally lack the technology and sophistication to detect a cybersecurity breach.

The additional statistics cited in the study highlight this awareness gap. For example, only 44% report having policies and procedures on training their staff in place. Those lacking staff security training to detect forged emails are at higher risk of spear-phishing attacks. 17% report using free cloud services, many of which lack enterprise data protections like encryption at rest, and therefore subject their data to unknown breaches. A staggering 85% do not use mobile device management, meaning that the ability to protect data on lost or stolen smartphones is lacking, in addition to the lack of device data encryption and containerization. 76% utilize online or remote backup solutions, but in our experience the vast majority of these are not encrypted, subjecting the firm to data loss. Further, a surprising 73% do not utilize multi-factor authentication, meaning that a cracked, stolen, or reused password subjects the firm to a cyber incident.

Most of these firms fail to realize that employees leaving the firm with any of the firm's data, whether it be client data or research reports, is actually a data breach itself. Most of the firms in this space lack basic intellectual property protections for their employees.

The survey found that 62% of firms are conducting cybersecurity risk assessments; however, our experience in this space has been that these firms are conducting either basic network testing or self-assessment. While both actions are encouraged, firms ought to be conducting independent cybersecurity risk assessments, and the vast majority are not. We believe the high reported statistic to be due to the lack of standardized terminology: "risk assessments" and "[network] vulnerability testing" or "[network] penetration testing" are often confused. A risk assessment covers deficiencies in documentation, processes and procedures, workflow flaws and vulnerabilities, vendor diligence, and beyond, in addition to internal and external network testing.

Aponix, Regulatory Compliance, and federal regulators will be hosting a conference to discuss investment advisor cybersecurity risks on October 14th in Manhattan. Details are available at www.etouches.com/nycyber.

Marc Lotti

(914) 743-5100 x700