Cybersecurity at Issue

Cybersecurity is an issue all tax and financial advisors may find themselves answering questions about this tax season.

CRA itself has been the target of several breaches in past tax seasons, and the financial industry experiences 300% more cyberattacks than other industries.  For these reasons, how safe email is and what you can do about it, will be a topic at the January Session of the Distinguished Advisor Workshops.

Bob Seaman of e-courier.ca will be a special guest at DAW. This Canadian company is a secure message and file transfer service for professionals and their clients. His background includes Internet security, e-privacy laws, intellectual property, business and data expertise. Bob is the former Head of Strategy for Microsoft Networks. Mr. Seaman has also published articles in the National Post, Huffington Post as well as the Canadian Medical Association Journal.

The session should be as interesting as the one given by Ian Russell, President of the Investment Industry Association of Canada (IIAC), last month at DAC 2015. Mr. Russell spoke on the prevalence of cybersecurity threats that can put your business and your clients at risk; he also offered some practical suggestions for managing these risks appropriately.

He revealed that a recent US SEC report noted that 88% of broker-dealers and 74% of advisors had experienced cyberattacks. In fact, the financial industry experiences 300% more cyberattacks than other industries. Statistics like this suggest that it’s not a matter of if, but when, you will be attacked. The risks of cybercrime are ever increasing; it is being perpetrated not only for financial gain, but also to obtain valuable personal information about individuals, including your clients, and sometimes as a public protest against a company.

The more reliant we are on technology, the more vulnerable we are to cyberattacks. And although we hear about hacks on big corporations in the news, smaller companies are actually more likely to be attacked because they often cannot afford prevention systems and don’t have a cybersecurity plan.

Some hackers will openly announce that they have frozen your system and will essentially hold your data for ransom for their own financial gain. But usually, cyber threats are more insidious, infiltrating your system through e-mails to employees, for example, or even through the system of a vendor or partner to whom you are connected—sometimes lying dormant in your system for several months before you become aware of the breach and the damage it is causing.

Naturally, cybercrime is extremely disruptive and expensive to any organization that is a victim; the enormous costs include your business being down, perhaps in the height of your busy season; the need for crisis communications; systems forensics to determine the cause and effects of the hack; the possibility of compensating clients for losses; regulatory fines; and long-term reputational damage.

No organization is hack-proof, but the good news is that every company can take steps to become cyber-resilient. Developing a cybersecurity program is critical to mitigating risk; any plan should include the following:

• Governance and risk management: Commitment from the top is essential to creating a firm-wide framework for cybersecurity.
• Risk assessment: Identify the critical systems you need to protect; do due diligence on vendors and their systems; build layers of security controls (e.g., multiple passwords); assign access appropriate to each employee’s role in the organization; use encryption; and have your system tested internally by employees and by external contractors to try and detect holes in security.
• Incident response plan (IRP): What to do when you are attacked and how to minimize the damage. Develop a protocol that assigns specific tasks to specific people, and in a specific order of completion. The IRP often includes outsourcing elements that require specialized expertise (e.g., IT, legal, PR).
• Staff training: Employees need to know what to watch out for. Most commonly, threats enter an organization because an employee unknowingly opens an infected email or attachment.
• Cyber-intelligence and information sharing: Subscribing to information services (some of which are industry-specific) can help reduce the threat.
• Cyber-insurance: This kind of protection is available, but can be expensive and is based on the firm’s specific risk profile.
• Understand the regulatory framework: Be aware of your responsibilities to regulatory bodies in advance (e.g., reporting any incidents to regulators) so you don’t need to spend time researching your obligations after there has been an incident.

The threat of cybercrime is immediate and real, so be prepared with a plan to manage the risk.

For more information on protecting your communications consider attending the January session of DAW – Distinguished Advisor Workshops.

Refer a Friend	Research	Calculators	Course Trials