When it comes to a cyber breach, it’s a matter of “when” not “if.”
If you’re a wealth-management firm, you will be attacked. That’s a given. After all, you hold what most cybercriminals want: the most sensitive and personal details of the wealthiest people in America. Those attacks are persistent, pervasive and not easy to detect. Scariest of all, there’s a strong likelihood that your firm is already under some form of attack.
That raises the odds that one attack will lead to a successful breach.
All cyberattacks are bad, but ones that affect financial intermediaries have the potential to ruin an advisor’s practice. Competition for clients is fierce, and a good client relationship is built on protection and trust – two feelings that immediately can disappear when data is breached. Clients, and their assets, will walk if they don’t feel safe.
Having a plan in place to handle the communications around this crisis is so vital. In fact, every wealth manager needs to have a separate crisis plan to deal with the potential of a cyber breach.
For the most part, all the elements of a standard crisis plan need to be a part of your cyber plan. But there are specific elements for a cyber security plan that need to be incorporated:
Understanding of State Laws
Traditionally, most advisors are concerned with federal regulations. But there is no over-arching federal law covering a data-breach response. However, 48 states (with the exception of Alabama and South Dakota) have laws that govern your communications in the event of a breach. Each state defines what types of data are covered by the laws, what constitutes personal information and what you are required to disclose. Understanding your home state’s requirements, and those of your clients, is important, so it is vital you engage a law firm that knows breach-disclosure laws and can help guide the communications plan.
Client-Centered Communications Plan
The way to maintain trust of your clients is to be forthright to them. That means ensuring you have a plan in place to be the first person to notify them of the breach. Too often, news of a cyber breach at most companies is delivered through the media. Given the depth of relationship with your clients, and the importance in maintaining your clients’ trust, you have to have a plan to be able to reach out to your clients in the quickest and most efficient way.
In addition to the public relations and law firms you need to retain to help develop your crisis response, your cyber team needs to include two other groups of professionals: a cybersecurity firm to assess and monitor your ongoing security (after all, the best way to deal with a crisis is to avoid one in the first place), and your accounting firm (preferably with forensic specialties) to support your response. Forensic accounting professionals can manage document control, data preservation and recovery, and analysis. Your communications team should seek feedback from all the firms helping you when crafting your plan.