What Your Clients Hear About CyberSecurity

Clients are so bombarded with information about cybersecurity and hacking that some analysts are even suggesting methods to “bounce back from cyber fatigue.” The idea is that board members and executives are so exhausted from the constant deluge of information about cyber threats that they have reached a state of paralysis.  When not alarmed on a regular basis by IT professionals and regulators at work, news of cyber threats is everywhere else, on the television concerning the ongoing effects of the Target data breach, in every new privacy update sent to their email address, it even seems to slip under the door like smoke and settle at their feet during dinner.

While analysts have been hearing about key points in cybersecurity on data theft and in protecting loss of client data, clients are focused on other topics. Oddly, the majority of hacking and hijacking that happens to major companies comes in via email. One major healthcare provider in the Philadelphia region, Mainline Health, is still feeling repercussions from a data breach that occurred years ago where employee personnel files were hacked via emails that were Trojan horses – appeared to be from a bank or service company and were in fact from hackers.

The most discussed data hijacking of 2017, involving the virus wannacry, slipped in through emails and older out dated computer systems.  While analysts may be most concerned about new threats of hacking and the best methods of encrypting, clients may be up to their elbows in the need to upgrade aging email systems or audit old computer servers. Interestingly, ransomware attacks in the U.S. have been declining over the last few years, but attention to them has been increasing, potentially because of the breadth of their impact. While it may not have impacted the U.S. in large measure, the wannacry virus hit 150 other countries.  Understanding that the cyber fatigue your clients may be facing on specific topics might not be in alignment with the actual threat level of those topics is crucial to responding to their needs. So too is understanding the significant cost associated with upgrading email systems.

As Trojan horses may still be a concern, it could be helpful to remind clients and employees about what official emails from your firm will look like. Years ago, firms sent out emails that reminded clients and employees that they would never ask for personal information, passwords, or bank account information via email. Those same informational emails may be helpful now.

Another basic element clients may be worried about involves employee training. In an especially egregious episode in 2018, Twitter had to warn users their passwords were possibly at risk to hacking as that computer company had failed to encrypt the files keeping those records.  Understanding where slip-ups in training and supervision that allow for user error of that magnitude may also be enormously costly to your clients. An audit of password protection policies, training, and testing for a large company could be a significant expenditure. While it may be beyond obvious to a financial advisor to follow every element of protection required, reminding your clients of those protections and policies could provide comfort to the client. This may be even more helpful if it was provided before the client asks, and in advance of a board meeting.

Even more on top of mind for executives and board members may be the data breaches at the end of 2017 that had no ascertainable cause. Both Orbitz and Under Amour had significant data breaches that after scrutiny by forensic experts remained unsolved. Executives may be under pressure to audit and reinforce firewalls, encryption and other elements of cybersecurity. This could include aspects of an employee benefit program, especially if retirement benefits dashboards are accessible through intranet sites like Sharepoint or other connections. Understanding your company’s safety programs and the ability to express plans to stay in compliance with federal (and, where needed, state) regulations will be necessary as companies evaluate any possible area of access.  Companies may start performing yearly risk assessments on weak points in their data systems in light of these unsolvable breaches. In fact, many cybersecurity analysts are pushing for proactive threat assessments for large companies. Having your own assessments and information at the ready can go far to showing your clients that you understand their cybersecurity needs.

In short, understanding that boards of directors who were formerly reluctant to spend company monies on cybersecurity may now be so cyberfatigued that their decision making may be out of alignment with the realities of employment benefits. Understanding that, and proactively preparing for detailed questions about cybersecurity can help you meet your client’s needs.