Practical analysis for investment professionals
16 July 2015

How to Minimize and Respond to Cyber Risk

Regardless of what industry you work in, cyber security is of the utmost importance. With highly publicized breaches at companies such as Target and JPMorgan demonstrating that even large organizations are vulnerable, protecting clients’ privacy is, without a doubt, a serious matter.

Thomas D. Giachetti, chair of the securities practice at Stark & Stark, offers advice for small firms on what he dubs information security as opposed to cyber security, in a recent Take 15 video,

One effective measure to protect client information is to use confidentiality agreements at all personnel levels. “Generally, I want anyone who has access to our information, especially access to our premises or direct access to our information, to sign a confidentiality agreement,” Giachetti says: “so employees, anybody who’s hired by the landlord or the managing agent who has access — including the managing agent, the cleaning staff, the security staff — and then those immediate types of professionals who have access to our information, such as an IT consultant and even a shredding service.” Additionally, access can be limited to specific people.



Another crucial component to protecting information lies in educating both employees and clients about how best to send that information electronically. “The exposure is that if a client’s information is intercepted, and the adviser has a fiduciary duty to advise the client — obviously when a client hears that they’re going to be very, very insecure and most likely leave.” Giachetti says. “Then the advisor has a responsibility to advise the custodian, (and) the custodian will probably freeze the account. There are a lot of things that have to be done — it’s a harsh remedy, but you can’t take a shortcut.”

According to Giachetti, these kinds of interceptions aren’t necessarily uncommon. “Many advisers — some get it on a weekly basis — get requests for a transfer of funds, usually electronic,” he says. In these cases, it is important for firms to contact clients by phone for verification — a measure best undertaken by someone who can recognize the client’s voice.

Nevertheless, because hackers will always be attempting to steal information, it is equally important for firms to have adequate insurance. Giachetti says, “They (firms) definitely need a policy — or program — something of some sort that addresses the firm’s risks, based upon who the firm is, their employees, their number of offices, their counterparties. There’s no one-size-fits-all.”

If you liked this post, don’t forget to subscribe to the Enterprising Investor.


All posts are the opinion of the author. As such, they should not be construed as investment advice, nor do the opinions expressed necessarily reflect the views of CFA Institute or the author’s employer.

About the Author(s)
Leave a Reply

Your email address will not be published.



By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close