How financial advisors should respond to cyberattacks

Nicholas Yuzwin started his own practice, NPY Wealth Management in Mississauga, Ont., in 2016 after working in the credit union system for over a decade. That same year, his personal computer was attacked with malware while his backup drive was plugged in, and hackers demanded a substantial ransom. 

He lost all his data. 

Though Yuzwin’s business wasn’t affected, the experience prompted him to hire NPC DataGuard, a cybersecurity response company based in Markham, Ont., to protect his company from cyberattacks. NPC was referred to him through his dealer, Manulife Securities Inc. 

“When that happened to me personally, I said, ‘No, this is not going to happen to me in my business,’” he said.  

Financial services companies, with a treasure trove of client information, are a top target for hackers, said Larry Keating, CEO of NPC DataGuard. Wealth management practices of all sizes should take preventative measures, create an incident response plan and know what to do during a breach. 

Preventing cyberattacks 

Financial advisors can prevent cyberattacks through the three pillars of policy, training and technology, Keating said. Standards for passwords and for protecting and sharing information must be accessible to all staff but kept confidential, he said, as they may indicate areas hackers could exploit. He recommended one hour of training per quarter on the policies.  

However, Keating said, “Without a superior investment in technology by qualified people, all the policy and training in the world isn’t going to help you.” 

A proper incident response plan should include attack preparation, breach detection, threat containment, malware eradication and data recovery. Advisors should know what their dealer’s is, and keep paper copies of the plans, as digital copies might be inaccessible during a cyberattack. 

For example, Manulife Securities has minimum software requirements, a system to encrypt sensitive emails and procedures on how to inform clients of breaches, Yuzwin said.  

Responding to a breach 

During a breach, staff must know who to inform in what timeframe, Keating said. This includes management, co-workers, any cybersecurity response firm on retainer and clients.  

They should also know what not to do. Some malware gets embedded deeper into the computer system when a device reboots or waits to steal an administrator’s higher-access credentials. 

A cybersecurity response company will use forensic analysis to help financial firms determine the nature and extent of the breach. For example, hackers may threaten to sell client data, or they may just lock the advisor out of their system.  

“If we were just locked out, that’s a completely different message to a client,” Keating said. Clients would feel a “heck of a lot better” knowing their data wasn’t compromised. 

Communicating an attack is a compliance issue. In addition to complying with regulation, dealers may be bound by carrier policies on how to communicate a breach to clients. For example, Manulife requires advisors to inform clients of an attack by phone and explain what is being done to remedy the breach, Yuzwin said. 

Although advisors may rely on the cybersecurity response company’s expertise to resolve the attack, the advisor and their staff should “without question” be the ones telling clients how it will be fixed, Keating said. “Going arm’s length at that time through the cyber response partner would only make the impacted clients feel even less loved.” 

When informing clients of a breach, advisors must choose their words carefully and may want to consult a lawyer, a cybersecurity response company or an insurer for help, Keating said. Advisors need to tell clients what happened and how it may affect them, issue a sincere apology, explain what is being done to fix the problem, explain what they will do to protect clients (such as credit monitoring) and commit to further updates. 

Saying the wrong thing can make matters worse, Keating said. Speculating about what happened or downplaying the situation can appear insensitive or break trust if the situation turns out to be worse than it first appeared. Advisors should also avoid technical jargon, which could frustrate and confuse clients, and refrain from blaming a third party — even if they caused the breach. It’s better for advisors to take responsibility, Keating said. 

Paying for cybersecurity is a “cost of doing business,” Yuzwin said. It’s the advisor’s responsibility to protect their clients’ data as well as their assets, and doing so shows clients “that you have their best interests at heart.” 

It’s also a way to earn trust from prospects, many of whom don’t think about cybersecurity when they begin working with an advisor, Yuzwin said. He always tells prospects about his practice’s daily backups, email encryption and protection from a third-party cybersecurity company.  

Yuzwin said he’s surprised when financial advisors only enact the minimum required cybersecurity measures. “That’s an accident waiting to happen because they’re eventually going to get hacked,” he said. “And once that happens, good luck in trying to retain your clients because your clients will find somewhere else to go.”