A few weeks ago, a St. Louis-based investment advisory firmsettled charges with the Securities and Exchange Commission overallegations that it failed to implement even threadbare cybersecurity policies and procedures in advance of a 2013 breach of itsserver, which was hosted by a third party.

|

The attack, which investigatorsultimately traced to China, resulted in the compromise of thousandsof the firm’s clients’ personally identifiable information, or PII,according to the SEC.

|

The firm paid a $75,000 penalty, and though it did not admit ordeny the SEC’s findings, the regulator’s allegations present ascenario of complete negligence on the part of the firm.

|

For years, the firm failed to implement firewall protections orencrypt clients’ PII. In fact, it didn’t even have a written policyin place.

|

While that level of carelessness is likely an anomaly, that anadvisory firm was attacked is not.

|

Read: Spy chief warns about hackers hittingfinancial markets

|

Earlier this year, the SEC’s Office of Compliance Inspectionsand Examinations released results from last year’s cyber securityexams of more than 100 broker-dealers and registered investmentadvisors.

|

Most firms—88 percent of broker-dealers and 74 percent ofRIAs—said they have been subject to cyberattacks, either directlyor through third-party vendors.

|

Read: 5 recent data breaches

|

The SEC is set to begin a second round of exams throughout thecountry, focusing on now only whether firms have a security policyin place, but whether or not they are actively testing it.

|

|

And while advisors to 401(k) plans and other investors will nodoubt want to stay on good terms with regulators, GJ King,President of RIA in a Box, an RIA compliance consultancy, says theSEC is the least of advisors’ concerns.

|

“Cyber security posses the greatest risk to RIA firms in thenear and long-term picture,” said King, who recently hosted awebinar with the founders of Itegria, a provider of technologysecurity solutions built specifically for RIAs.

|

“Advisors can not simply go through the motions when it comes tothe threat,” King said. “Every firm’s leadership needs to make thisa primary concern.”

|

RIA advisors to 401(k) plans may want to take even extra care.Recent reports suggest the $5-plus trillion defined contributionmarket is the next Holy Grail for hackers.

|

“These accounts often have tens or hundreds of thousands ofdollars in them. Combine that with individuals who casually checkbalances and most of the media’s focus on cyber attacks againstretailers and traditional bank accounts, and these retirementaccounts are the dark horses of financial loss,” said Ben Johnson,chief security strategist for Bit9 + Carbon Black, a provider ofsecurity network solutions throughout the financial, aerospace, anddefense industries, among others.

|

Johnson says the recent string of major compromises ofsome of the country’s largest retailers, banks andeven government agencies means cyber criminals aroundthe world now have a massive “treasure trove” of consumers’personal information at their finger tips. And they are activelycommitted to leveraging that for further fraud.

|

|

Perhaps the most chastening reality for 401(k) advisors is thatmost data compromises are not disclosed, in part becausemany aren’t known, a reality all ofthe security expert sources for this story underscored.

|

“At the end of the day you are going to be breached—everyoneagrees on that,” said Peter Martini, co-founder of ibossCybersecurity.

|

It’s not just the money in 401(k) accounts hackers are after, hesaid, but all of those personal details that advisors and sponsorsstore on account holders.

|

“Advisors and providers to plans hold so much information onparticipants that hackers can steal and sell on the black market,which can then be leveraged for other attempts at fraud,” saidMartini.

|

For the most enterprising and sophisticated of criminals, sizedoesn’t matter.

|

“Everyone is susceptible. Even more so with smaller firms, whichusually have less protection, less software infrastructure, andoverall, less resources. They’re often the easiest targets. Thievesgo after easy targets,” warns Martini.

|

The good news on the cyber front is that as threats haveevolved, so too have the defenses available to 401(k) advisors.

|

Perhaps as important: enhanced, best-in-class protections do nothave to break the bank.

|

Cloud software innovations are allowing providers to delivercutting-edge solutions for pennies on the dollar of the investmentsadvisor firms are accustomed to making in securityarchitecture.

|

Just a few years ago, security upgrades meant implementingcostly and cumbersome servers, paying for their maintenance, andmaking internal investments in personal to oversee thehardware.

|

|

“What would have cost $50,000 three years ago can now bedelivered for dollars per machine,” said Martini.

|

With the emergence of new solutions available to advisors, thequestion becomes one of implementing the best software protections,and just as importantly, the best policies for testing thoseprotections.

|

Richard Mabbun, CEO of Itegria, the firm that specializes insolutions for RIAs, says it takes a holistic approach todetermining a firm’s needs, which can very greatly, often dependingon number of employees.

|

“The first thing we do is go in and understand what the existingpolicies and procedures are. From there we can figure out whichsolutions to deploy,” said Mabbun.

|

He echoed the sentiments of other security providers: advisoryfirms should avoid so-called check-the-box solutions simply toprove to regulators they have a security program in place.

|

“There’s a good amount of grey area between what SEC and stateregulators require and what are best practices,” explained JulianMakas, Integria’s co-founder and chief technology officer.

|

What the SEC won’t do, says Makas, is endorse one type ofsoftware protection over another.

|

That said, the implementation of specific protections, likepassword management tools, which automate complex and changingpasswords for each workstation on a network, can prove toregulators the level of a firm’s engagement in protecting against athreat, he said.

|

Regardless of a firm’s specific product and technology needs,all firms, no matter their size, must maintain and update a writtenInformation Security Policy. Extensiveness will matter toregulators, said King, of RIA in a Box.

|

And all firms must show they are testing their products andcontrols and conducting periodic risk assessments, King added.

|

Also, firms need a written succession plan in place in the eventof a breach.

|

But perhaps the most important component of a firm’s securitypolicy is employee training, a reality echoed by all of theexperts.

|

“Your people are your weakest link—and they are also yourgreatest line of defense,” said Makas.

|

Documented annual training should be a minimum, said King. Andcreating a culture where all employees are encouraged tocommunicate up the chain of command when they suspect something maybe amiss—without the fear of repercussion—is critical.

|

“You see something you say something, and that starts with afirm’s culture at the top,” said King.

|

There will never be a way to secure a firm’s network 100percent—not even the National Security Administration can do that,reminds King.

|

That makes insisting on security as a priority firm-wide notjust a best practice, but a necessary one, said King.

How can you transform your risk managementpreparedness and response strategy into a competitiveadvantage? Introducing ALM's cyberSecure — Atwo-day event designed to provide the insights and connectionsnecessary to implement a preparedness and response strategy thatchanges the conversation from financial risk to competitiveadvantage. Learnmore about how this inaugural event can help you reducerisk and add business value.