Cyber reality check: Are advisors more vulnerable to a data breach?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lifehealthpro.com/2015/10/14/cyber-reality-check-are-advisors-more-vulnerable-t

Cyber security. Cyber breach. Cyber insurance. No longer terms of the
future, is your firm ready to address each of these areas?

Experts agree that no matter the size of your business, if you handle
Personally Identifiable Information (PII), you had better be prepared to
protect it in ways you never considered before.

Or as a regulator ominously stated in response to a recent incident: “Firms
must adopt written policies to protect their clients’ private information
and they need to anticipate potential cybersecurity events and have clear
procedures in place rather than waiting to react once a breach occurs”.

The Securities & Exchange Commission case in question was settled with R.T.
Jones Capital Equities Management in September when it was found that the
firm violated the safeguards rule. The St. Louis firm, with assets under
management of $481 million and approximately 8,500 accounts, experienced a
loss of data on a third-party server via a suspected hack from 2009 to 2013
that exposed the PII of upwards of 100,000 individuals, many of whom were
clients of the firm. The firm was fined $75,000 and had to take other
precautionary steps to protect those affected.

This is a much more common problem than many realize. We hear about the
high profile cases, but a report that tracks data intrusions indicates that
there have already been 577 breaches in the country this year with nearly
156 million records exposed. It’s particularly frightening to see the sheer
number of businesses and financial services companies that are included on
the list. These types of reports are increasingly common since 47 states
(plus Washington D.C., Puerto Rico, Guam and the U.S. Virgin Islands) have
passed legislation which requires private or government entities to notify
individuals of security breaches of information involving PII. Only
Alabama, New Mexico and South Dakota have failed to follow suit.

The exposure of records can add up quickly. The financial sector ranks
third in the per capita data breach cost at $259 per record lost (behind
pharmaceutical and health industries at $298 and $398, respectively).

As a result, the trend of obtaining cyber insurance is on the rise. The
Wall Street Journal has reported that advisors are increasing the
business-insurance policies they hold and that some are opting for specific
coverage that includes “computer fraud and related damages”.

According to the article, premiums for this kind of coverage usually depend
on a “firm's annual revenue, assets under management or number of advisers,
as well as the particulars of its data systems—including how solid its
securities procedures are and whether maintenance is outsourced.” One
insurance broker interviewed for the story says only 50 of his 500-plus
adviser-clients have paid for coverage of cyberattacks. "For the financial
advisory industry, this is very new," he said.

The broker goes on to explain why, like many types of insurance, the
premium paid would be a better safeguard against the increasing risk of
data exposure. He “tried for two years to sell a Connecticut adviser such a
policy, without success. Then the firm suspected it was hacked, and paid
$4,000 to have an expert check out its systems. It was a false alarm, but
that expense equaled one year’s premium”.

There is no doubt that the cyber insurance market is growing significantly
each year. A PwC survey estimates that the cyber insurance market will grow
from $2.5 billion in cyber insurance premium in 2014 to $7.5 billion in
2020. U.S. companies currently purchase 90 percent of the policies.

Is cyber insurance necessary? It depends on the general protection you have
in place and whether you are concerned about absorbing the costs of a
potential hack. A cyber insurance policy can address some of the financial
costs related to system vulnerability audits. If an intrusion affects your
firm, the policy may cover customer protections such as credit monitoring
and post-incident public relations and investigations, not to mention
possible regulatory fines, legal expenditures and reward monies. It can’t
cover everything as you could likely still be subject to lawsuits and
customer, data and reputation loss in the event of compromised PII records.

The National Association of Insurance Commissioners notes that the costs of
cyber security policies also vary due to wide-ranging information on
actuarial data, applicant’s risk management procedures and culture, type of
business operation (including its size and scope), type of data collected
and stored, etc.

Cyber threats are more real to small- and medium-sized businesses as
systems tend to be less secure than corporations.

In other words, if your client data is appealing and reasonably accessible,
consider yourself a potential target.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!