Advisor Learnings From Meltdown and Spectre

Jan 16, 2018

cyberthreat

Odds are that by now you know of Meltdown and Spectre. Why? Because once again a cybersecurity issue has reached the mainstream press – an event happening more and more often as we become an increasingly tech-reliant world. For the advisor, cybersecurity is becoming more of a distraction taking you away from giving financial advice and making your clients’ lives better. I think 2018 is going to be the year of cybersecurity, and everyone’s New Year resolution should be to provide good cybersecurity with a minimum of expense and time spent.

What are Meltdown and Spectre?

In layman terms, Meltdown and Spectre are flaws at the innermost level of computers that expose data that should not be exposed. While SEI has not been impacted by the breech, here are a few general facts about the issue:

  • The vulnerabilities were identified by separate teams of researchers, not by someone trying to take advantage of the situation.
  • To date there is no known data security breach that has occurred due to these vulnerabilities.
  • To date there is no known virus that exploits these vulnerabilities.
  • Between the two flaws, they affect almost all computers that use Intel, AMD or ARM processors. That means nearly all smartphones, PCs and servers that are being used today.
  • Computer and smartphone device manufacturers are releasing patches and fixes to reduce the threat caused by the vulnerabilities. As time goes by these should become more and more effective.
  • To truly eradicate the problem, computer manufacturers would need to release a new generation of processors, then be installed and used worldwide. This will take many years.

For more of the details of Meltdown and Spectre, here is additional reading:

What should you do now?

For advisors, the approach is very similar to the general consumer. The basics are:

  • Keep your computer internal software (firmware) up to date. Computer manufacturers have automated this process, making it easy.
  • Keep your operating system (OS) software updated. Microsoft and other OS providers have automated this.
  • Use virus software (such as McAfee, Norton or Webroot.) Most broker dealers have issued guidelines for their representatives on how to react to these vulnerabilities. If you are a BD affiliated representative take advantage of this advice.
  • Review your cybersecurity policy and ensure that your practices are following your policy.
  • If you have outsourced the mechanics of cybersecurity to a third party, ask them for updates. I highlight the word ‘mechanics’ as the accountability for cybersecurity will always be yours, as the firm owner.

Microsoft Windows operating system is the most prevalent for advisors. This is their advice on what to do.

Advisor learnings from Meltdown and Spectre Click To Tweet

Clients and cybersecurity

It used to be that cybersecurity was a back office operation that clients did not care about. The world is very different today. Think of all of the data breaches that have occurred in the public eye. A partial list is: Experian, eBay, JP Morgan Chase, Wells Fargo, Home Depot, Yahoo, Target and Sony. Also the viruses that consumers have read about, like Stuxnet, ILOVEYOU and the recent WannaCry. For an advisor firm, a data breach could be a death knell. The local press will pick it up and social media will kick in.  The Ponemon Institute, a cybersecurity research firm, found that companies have a 7% loss of customers after a breach. This sounds right for a larger firm, but very low for a small advisor firm, where reputation is everything.

Because of consumer awareness, advisors should be proactive about cybersecurity. Here are two suggestions:

  • Cybersecurity micro-moment. When there is sizeable data breach of any financial information that gets in the news, send out a client communication explaining the impact to the consumer and how your firm was or was not impacted. The Equifax breach was a great example, which John Anderson described in a post as a micro-moment approach. Meltdown and Spectre are other possible micro-moments. If your firm was impacted, your firm should follow its procedures for determining what notifications are required.
  • Sales tool. Build collateral or blog content which explains your firm’s security policies and practices. You can be sure that your client does not understand how much is being done for them and will be appreciative.

InvestmentNews covers this consumer awareness phenomenon and gives more statistics and anecdotes.

What should you really do?

The real answer is that you want to try to put comprehensive cybersecurity in place, but you should spend as little of your time on it as possible. One way to do this is to outsource the work to a trusted party. While you are at it, it may be time to outsource all of your IT (computers, servers, office software and tech support.)

In researching the companies who provide IT outsourcing, we talked to four who focus on advisors:

There is a more in-depth review of IT outsourcing in a previous blog.

Increased cybersecurity compliance

In 2015 the SEC’s OCIE division researched the state of cybersecurity for broker dealers and advisors. The resulting report is surprisingly easy to read and full of interesting statistics. It’s also one of the key reasons that in the last two years the SEC and FINRA have been increasing their scrutiny of cybersecurity in our industry. This has inevitably led to hefty fines for financial firms when they have uncovered cybersecurity gaps.

So, I suspect that 2018 will be the year of cybersecurity; your clients will ask more about how you protect them and the SEC and FINRA will be on the hunt. Happy New Year!

Information provided by SEI Investments Management Corporation, a wholly owned subsidiary of SEI Investments Company (SEI). This content is for educational purposes only and is not meant to provide investment advice or as a guarantee of any specific outcome.

Some information contained herein has been provided to SEI by unaffiliated third parties. SEI cannot guarantee the accuracy or completeness of the information and assumes no responsibility or liability for its incompleteness or inaccuracy.

ITEGRIA, ExternalIT, RightSize Solutions and True North Networks are not affiliated with SEI or its subsidiaries. SEI is neither recommending nor endorsing their products.

Share Button
Raef Lee

Raef Lee

Raef Lee is the technology contributor for Practically Speaking and also serves as a managing director for the SEI Advisor Network.

Learn More About Raef Lee

Subscribe

Categories

Digital Advice Toolkit

Recent Tweets