RIA Cyberattacks: Top 6 that could ruin your firm

Which cyberattacks could hurt your Registered Investment Advisor (RIA) Firm? The truth is, any and all cyberattacks could hurt your firm. So what can you do about it? Simply being aware is the first step, so let’s dive into the top 6 cyberattacks that could hurt or simply ruin your RIA firm.

1) RIA Cyberattacks: Phishing

These types of articles always seem to start with phishing. Why is that? Phishing emails work! As part of our RIA cybersecurity service, we send phishing simulation emails to clients and users click (fake) malicious links all the time. And no, we don’t send insensitive ‘claim your bonus’ phishing emails like GoDaddy!

Phishing is the #1 cause of data breaches. It’s one of the most common ways for criminals to steal money or data. Attackers can trick you into giving up social security numbers, financial account numbers or login credentials. 

Phishing emails often tug at your emotions and create a sense of urgency (which is why COVID-19 related phishing emails were so effective!) 

Learn more about the SEC cybersecurity guidance on Phishing in our article: SEC Cybersecurity Guidance: Phishing

2) RIA Cyberattacks: Credential Stuffing

In September 2020, the Office of Compliance Inspections and Examinations (OCIE) released a risk alert about credential stuffing. 

Credential stuffing is an automated attack, where hackers get usernames, passwords and email addresses from the dark web and then use automated scripts to use the credentials on other websites.

The most important thing you can do right now is make sure you use multi-factor authentication (MFA) wherever you can. This makes it that much harder for cyberattackers to access your accounts.

3) RIA Cyberattacks: Third-party breaches 

According to a 2018 study by Opus and Ponemon which involved 1000+ CISOs in the US and UK, 59% of companies said they have experienced a data breach caused by one of their vendors. Big companies like Target and Home Depot have experienced the pain of third-party breaches. And these types of attacks can impact RIA firms too.

You need to take the time to audit your vendors. You are only as strong as your weakest link, and if your third-party vendor has weak security, so do you.

We recommend a third-party vendor risk management process like this:

1. List your vendors
2. Find or request information (large companies will have a SOC2 Audit Report and smaller companies should have an information security policy and training information)
3. Review the documents and follow up as needed
4. Respond to security risks - you may need to modify your contract or end your relationship depending on the results
5. Schedule security reviews for the following year

If you need more details on the points above, check out our article: Third-Party Vendor Risk Management: A How-To Guide.

4) RIA Cyberattacks: Ransomware

Ransomware is not just a ‘big company’ problem. It is hitting companies of all sizes, and when it hits, you need to be prepared. This is a cyberattack that RIA firms need to learn about.

Ransomware is a form of malware that encrypts and holds your data hostage until you pay the ransom. You can lose downtime, money or data as a result. Bitdefender indicates a 715% year over year increase in ransomware-related scams. That’s huge!

Your users need to know common signs of ransomware:

• Screen locking pop-ups
• Files with uncommon or unusual file extensions
• Seeing errors when trying to open files
• Strange files on your computer that you did not create

Your users should also know how to respond to ransomware:

• Control the infection
• Identify the type of ransomware
• Report the incident properly
• Remediate (wiping infected computers)

Finally, your users should know how to prevent ransomware attacks:

• Daily backup of your hard drive
• Use antivirus with ransomware protection
• Don’t click on unverified links and email attachments
• Download from trustworthy sites only
• Keep your computer and mobile devices updated

To learn more about ransomware and the bullet points outlined above, check out our articles:

• Can You Spot The Signs of Ransomware? Follow This Simple Guide To Protect Yourself In 2021
• Ransomware Playbook: 31 Critical Questions to Build Your Own

5) RIA Cyberattacks: Your Employees

Generally, employees are called the ‘weak link’ in cybersecurity. And it makes sense. You can spend tons of money on systems and security services, but at the end of the day, it’s human error that can cause breaches. An employee could click on a phishing link, lose their laptop or accidentally share the wrong documents. 

But instead of looking at your employees as weak links - look at them as your last line of defense against cyberattacks. Empower them with proper cybersecurity training and create a culture that encourages learning and sharing. 

We recommend sharing this article with your employees, so they can explore more about phishing, ransomware and the other top cyberattacks that RIA firms face every day.

6) RIA Cyberattacks: Your Clients

Client cybersecurity is critical for your business. Your RIA firm can take all the steps towards proper cybersecurity practices, but if your client’s email or computer is compromised, it could impact your business in a bad way. 

Here are some of our favorite tips to share with your clients:

1. Use multi-factor authentication (MFA) on all important online accounts
2. Sign up for an email security service
3. Never use public Wi-Fi
4. Always use long and unique passwords
5. Use two good antivirus programs
6. Be aware of phone calls - especially if they ask for sensitive information. You can always hang up and call your financial institution directly to double-check. 

Can you prevent these RIA cyberattacks?

Can you ultimately 100% prevent these RIA cyberattacks from happening? Unfortunately, the answer is no. But that doesn’t mean you can’t take action. And if you’re working towards complying with SEC cybersecurity guidance, you NEED to take action. So what can you do?

1. Use Multifactor Authentication EVERYWHERE!
2. Use long and unique passwords
3. Use an additional email security service
4. Never use public Wi-Fi
5. Provide cybersecurity awareness and training to your employees and your clients

Does your RIA firm need help with cybersecurity?

Adeila Risk provides cybersecurity protection exclusively for small, high-value companies in highly-regulated industries like financial services. Our cybersecurity service is the one-stop-shop for everything you need, customized for your firm!