How to protect your clients from a cyber attack

A data retention policy should spell out how long you will keep different types of data on file.

In one data breach case Jardine dealt with last year, an advisor’s email was hacked, and they had to notify 1,000 people that hackers had their information. “They had 20 years of client information all neatly organized in their email.”

Check out third-party apps

Halton said advisors should familiarize themselves with and use the cybersecurity features available through third-party apps.

“You probably have much more MFA, much more encryption, much more backup than you think you do,” Halton said. “[For many] third-party tools, IT vendors will have very good backup systems in place and MFA on login, even though it might be annoying,” Halton said.

At the same time, as advisors start to use tools driven by AI, such as note-taking apps to assist with record keeping, they need to do their due diligence to avoid putting sensitive data at risk.

“Be conscious that you’re putting data out there,” Halton said. Advisors should look into the vendor company, their security levels and privacy policy.

Jardine added staff who may be using tools like ChatGPT — whether approved or not — should be trained on the importance of anonymizing data.

Stick to the protocol

In some cases, clients insist on communicating with advisors using methods that aren’t secure. If advisors act on requests through such channels that turn out to be fraudulent, the liability is with the advisor, Jardine said.

“If you’ve set up established protocols and communication methods with the client, and the client chooses to deviate from it, how do you know it’s the client?” he said. “What’s your strategy for verifying them?”

Jardine said if you do get a client request via an unapproved channel, you should send a standard response explaining that it’s not a secure way to communicate — without providing any information about the client in case it’s a bad actor.

The response can explain that criminals may use these channels to get access to client information and accounts, and to infect the advisor’s systems with malware.

Spread the word

The panel also noted advisors should communicate with clients about cybersecurity proactively and let them how their data is being safeguarded. This can include reminders about established communication protocols.

Plan ahead

Have a plan in place to respond to an incident before it happens, the panel stressed. How will you communicate what’s happened to employees and clients? What will you say? “Think it through in advance, so that you’re not trying to decide when you’re in a complete trauma,” said Jack Mazakian, vice-president, Advocis Broker Services, who moderated the session.

Jardine suggested printing out phone contact lists, response plans and your insurance policy. If you have a cyber-insurance policy, Jardine also advised not to store it on your computer, as the first thing a bad actor will do is search for “policy” to see what your coverage is.

Cyber insurance

A cyber insurance policy can provide coverage for legal and regulatory costs, third-party liability, cyber-service costs for data breach victims, lost profits in the event of a related business disruption and the costs of managing your reputation after a cyber breach. But it’s not necessary for all advisors to have cyber insurance, the panellists said.

Being able to qualify for cyber insurance already puts you in a lower-risk category, Jardine said, as you will already be complying with basic best practices like using MFA and putting a limit on the number of password login attempts on systems.

“The insurance is there to kind of bring a standard to things. So instead of saying everyone in the room needs insurance, I think it’s better to say that these are kind of the minimum controls that you should have in place, and insurance will come along and provide you with loss transfer when you have those.”