The chair of the Securities and Exchange Commission Mary Jo White dropped a bomb in a recent speech by noting that the biggest risk faced by the financial system is cybersecurity. And she poured salt over the wound with the observation that the preparations taken by financial players are inadequate.
"What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks," Reuters quoted her as saying.
Criminals in a matter of short minutes are emptying millions of dollars out of accounts around the world. $81 million for instance was recently sucked out of the Bangladesh central bank. But many experts said that financial advisors may be a particularly tasty - and often undefended - target.
"I absolutely see this as a real risk," said Todd Feinman, former PwC ethical hacker and CEO of data classification firm Identity Finder. "They have your tax info, information about your family, what you are buying and selling, everything a criminal needs to steal identities."
Wouldn't big banks and advisory firms be the target of choice? You might think because of their vast data bases. But their vast resources also buy protection and, in recent months, most have armed up their cybersecurity defenses, said experts.
Not so with smaller players, according to Ben Desjardins, a cybersecurity expert with Radware.
"Consumers should be concerned about the potential for sensitive private data -- such as account numbers and Social Security numbers -- getting breached via smaller financial advisor firms."
He added: "Many of these financial advisors are most likely their own IT staff, meaning they don't have security experts maintaining and monitoring systems that are being used to store sensitive data or execute transactions. When you consider the average number of days it takes an enterprise to realize they have been breached is now around 100 days, it's easy to believe that individual financial advisers may have malware on their machines for long periods of time without realizing it."
Paul Pagnato, founding partner of wealth advisory firm PagnatoKarp, agreed.
"Financial advisors are some of the most targeted personnel in the financial space, because so many are small businesses and unable to spend on robust cybersecurity defenses," he said. "And criminals first take the path with least resistance. Thieves are after more than just money, they're after lucrative client data and account information that can multiply their earnings potential for both direct exploit and/or for sale on the Dark Web."
There's worse news according to multiple experts: so-called 'exploits kits' for attacking financial advisors - essentially a DIY blueprint - have proliferated on the Dark Web. That means no real technical skills are required to mount an attack, just a handful of Bitcoin.
And it gets worse. "The level of anonymity offered by the internet makes these relatively risk free crimes," said Stu Bradley, vice president of cybersecurity solutions at SAS. That means the chances of being arrested are slim to none.
For the victims - and this means clients of the breached advisory firm - a lot of heartache and financial pain will be the results. Years of both.
"What this means for their customers is that when choosing a financial advisor, they should take into consideration the steps taken by the advisor to secure their data, as well as their ability to advise financially," said Lee Munson, senior researcher at Comparitech.com. "Data security should be one of the key demands of customers when enlisting this service."
For good, understandable reasons people and small businesses don't directly answer questions about their security practices. But in the context that the head of the SEC is warning about attacks on financial institutions, it makes excellent sense for a client or prospective client to prod for enough details about security to feel safe leaving their information and money in an advisory firm.
A key question: have you ever been breached? Advisors need to have an answer to that, and if it "yes," they need to be forthright about steps taken in the aftermath to tighten defenses.
Security experts urge that we ask enough questions so that we are satisfied with the safeguards a particular firm has in place. Clients want to know and they have that right - just as they have the right to walk their money to a firm they believe is better defended.
This article is commentary by an independent contributor. At the time of publication, the author held TK positions in the stocks mentioned.