The wealth management industry continues to invest in sophisticated tools, practices and policies to protect clients from data breaches and other security threats. The constantly evolving threat from bad actors is what drives Larry Casey, First Vice President of Information Systems and Chief Information Officer of Cambridge Investment Research.
“Cyber threats keep evolving, so our approach to them needs to evolve as well,” he told Digital Wealth News.
But it goes well beyond the threat to systems and data. With clients entrusting their financial lives to their advisors, cyberattacks can corrode the trust upon which the entire advisor-client relationship is built. Cyber attacks can pose an existential threat to the reputations that firms and advisors have worked so hard to build and maintain.
While growing regulatory requirements dictate how a firm protects clients’ privacy, notifies them of any issue and remediates damage, Cambridge has worked to constantly enhance and improve its protections, both internally and externally, Casey told DWN.
Wealth management firms need to prioritize protecting their affiliated advisors’ practices from bad actors, explained Casey. Larger firms with scale and resources may be better positioned to provide a variety of options to ensure the protection of their advisors and the clients they serve.
As Cybersecurity Month ends, DWN spoke to Casey, who is responsible for cybersecurity efforts at one of the larger independent wealth management firms, about what he’s doing, what he’s worried about and how the industry can continue to do better. Larry took time to answer our questions on how Cambridge responds to ever-evolving threats.
DWN: What cybersecurity measures does Cambridge implement to protect client data on its platforms?
Larry Casey: Cyberattacks are a growing threat to all businesses, with financial services being a frequently targeted sector. This means we must stay vigilant in protecting and managing the data Cambridge collects and stores as part of our daily business. We also must provide our financial professionals with cybersecurity solutions to help them better control and protect their technology systems from ongoing cybersecurity threats.
We focus on internal risk mitigation and external risk protection. To guard against internal risks, we are constantly looking to bolster the security, confidentiality, and integrity of our data. Our policy is to only collect confidential or restricted data that is absolutely necessary to accomplish a required task, conduct a legitimate business transaction, or comply with applicable laws and regulations.
Regarding external risk mitigation policies, we employ a defense in depth strategy to protect client data, which involves multiple layers of security measures. This approach ensures if one layer is compromised, others remain in place to protect sensitive information. Examples are Firewalls, IDS/IPS, Encryption, Endpoint Security, and Security Awareness Training. We don’t allow data to be removed from the premises and have strict guidelines surrounding who is allowed access to data.
We partner with industry experts to help our advisors protect their client data in their practices. Our cybersecurity compliance software provides monitoring and detection capabilities, SEC/FINRA compliance report generation, optional VPN connection, and asset risk-scoring. We also provide offsite cloud backup and restoration, remote machine management, email filtering, and hardware for cloud-based networking protection.
Cybersecurity communications, training and education for our advisors and home office associates are ongoing. Our senior management is terrific at reinforcing our messaging on data security at all of our meetings and events. That kind of top-down support is critical to driving home the importance of the topic and ensuring everyone knows they have a part to play in cybersecurity.
DWN: You mentioned cybersecurity regulation. The SEC has stepped up regulatory action against firms that are not complying with the agency’s recently implemented amendments to Reg S-P that require advisors and firms to have clearly defined procedures and advanced cybersecurity measures in place to protect client data, notify clients of a breach and remediate when something goes wrong. How has Cambridge responded?
LC: The SEC cybersecurity rules are good for the wealth management industry. While they will force firms to spend more on these efforts, the rules will ultimately protect clients. Cambridge has the scale, resources, and talent to ensure compliance.
Part of the new regulations many are trying to get their arms around is the requirement for firms to monitor the cybersecurity effectiveness of their third-party vendors. Failure to do so will likely result in severe SEC penalties going forward.
At Cambridge, we’ve made significant strides. As a firm working with independent business owners, we deal with a wide array of external third-party vendors our advisors choose to employ as they run their businesses. We have built a robust process around third-party vendor review and due diligence to accommodate this freedom and flexibility.
Our vendor oversight program sets high standards because it has always been our responsibility to ensure that any third-party or off-the-shelf product we use or allow our advisors to use meets security standards and protocols consistent with our firm’s policies. We also offer a wide variety of resources, guides, whitepapers, and best practices to help our advisors, and their associates mitigate cybersecurity risks and protect client information.
For advisors who are interested in working with us on more of a 1-1 basis, we even offer a cybersecurity solution through our Cambridge Source offering that can help protect their technology systems from ongoing threats. Overall, we have always taken a proactive approach to cybersecurity, so meeting the SEC’s requirements has been a smooth process.
DWN: What cybersecurity trends are you currently monitoring? How are they impacting your approach to cybersecurity?
LC: Due to the constant evolution of threats, we aim to be proactive and anticipate potential issues and vulnerabilities across our ecosystem.
One of the trends we are seeing is business email compromise or BEC. This is a cybercrime that involves tricking employees or executives into sending money or sensitive data to fraudulent accounts. It sounds like a simple scam, but the bad actors continue to get more sophisticated and harder to diagnose. These individuals and groups pose as trusted figures, like business colleagues, to make the emails appear legitimate. Fighting this requires ongoing training.
Artificial intelligence is another obvious trend. As security and risk management leaders, we must address the cybersecurity implications of AI, particularly GenAI. Gartner outlines four key areas to focus on: using GenAI for defense, safeguarding against GenAI-powered attacks, securely developing GenAI applications, and managing the organization’s GenAI consumption.
The move from storing and managing data on-premises to the Cloud is ongoing and accelerating. This trend requires a new level of security monitoring and vendor oversight, especially during transfers. This adoption of cloud infrastructure demands robust security measures and thorough vetting of service providers to ensure data integrity and protection.
Additionally, the use of infrastructure as code (IaC) is becoming increasingly prevalent. IaC allows for the automation and management of cloud resources through code, improving efficiency but also requires stringent security protocols to prevent vulnerabilities in the deployment of scripts and configurations.
At Cambridge, we continue to evolve with the risk that we see. By making cybersecurity a constant part of our engagement with our advisors, associates, and executives, we are better positioned to fight the good fight and protect the data entrusted to us. Cybersecurity Awareness Month may be in October, but it’s a year-round focus for us.
