Centennial State Sets Cybersecurity Example

Justin Kapahi, vice president of solutions and security at New York-based firm External IT, is excited about a new set of cybersecurity regulations for financial institutions that were recently passed in Colorado.

The Colorado Division of Securities published final rules in mid-May that compel broker-dealers and investment advisors to establish and maintain written cybersecurity procedures designed to protect clients' personal confidential information. Those procedures include using secure emails that employ encryption and multifactor authentication practices for employees to access databases, among other things.

Kapahi believes these rules will go a long way toward helping financial advisory firms in Colorado understand how best to protect themselves from hackers. Even if most firms in this industry have in place what Kapahi calls "commodity security" (firewalls and anti-virus protection, for example), many are not truly equipped to counter "socially engineered threats" like spam emails that look innocuous but can result in major database breaches.

In the Cloud, 'Middleman Is the Computer'

In the era of cloud computing, many companies also believe that they don't need servers because their data is safely stored at all times. However, accessing that data on devices that are not authorized – a routine occurrence — is one of the most common ways in which data is hacked, he said.

"People don't realize that in the cloud, the middleman is the computer," Kapahi said. "I mean, I would not do business on my son's computer, for example – he plays games on it, he downloads things, and it's dangerous. So it's really bad news for financial advisors who download their clients' data on their home computers or on other unmanaged devices."

In Kapahi's view, cybersecurity is by far the greatest problem for the financial planning industry. While the SEC and certain states like Colorado and New York have provided guidelines for companies to follow, it's still very difficult for many firms to wrap their arms around things and to ensure their valuable data is fully protected.

"As a security provider, you need to be agile and you need to hire people who understand the industry and who follow compliance regulation," he said.

While External IT has always served financial advisory firms, it is now wholly dedicated to this space, ensuring that it stays ahead of the curve in terms of what advisors need to safeguard their data.

The company provides its clients with a "dome," Kapahi said, a turnkey, fully managed and airtight-yet-transparent system "that you can see through but you can't get out of." The dome helps financial advisory firms and broker dealers make the most of technology by partnering with them to manage all their applications — tools and data — in a secure, compliant and private environment. It tracks where the data is being used and downloaded, and safeguards completely against any breaches that could occur from anyone using the data on external, unmanaged devices.

"Everything stays in the dome. Nothing comes out of it, but if something does come out, the system shows you that," Kapahi said.

External IT's team comprises experts who are fully versed in the financial advisory business, with a sound knowledge of companies' applications and technologies, and the firm keeps up with the latest in regulatory requirements so that they can be easily implemented on its existing platform. This allows companies to maximize their productivity while limiting risk, Kapahi said.

In an industry where embracing technology has arguably been slower than in other industries, many firms are still reluctant to make the necessary commitment to upgrade their cybersecurity precautions to guard against employee-related breaches, many of which can happen unwittingly but cause big problems. However, conversion to External IT's "dome" solution is effortless and quick, Kapahi said. "We can do it at any time without people even knowing we've done it," he said.

Employees Still the Weakest Link

Still, even with the most air tight, Fort Knox-equivalent cybersecurity protections in place, financial advisory firms and broker dealers must still train their employees to use their systems properly and to recognize potential fraud before it takes root.

"Those phishing emails you get, where if you hover over the URL, you see there's something not quite right – you need to train people not to download those things," Kapahi said. "Companies need proper guidelines for that and those kinds of instructions need to be repeated."

— Read Your Biggest Cybersecurity Threat? Your Employees on ThinkAdvisor.

Correction: External IT is based in New York, not Miami.