Cybercrime in the Financial Industry

As cybersecurity becomes more mainstream, many clients are now turning to their advisers looking for assurance that their financial accounts are secure. With that demand, being able to articulate what you, the adviser, are doing to protect your client is no longer a side conversation, but an expected one.

Clients want to know that you will not only assist them in meeting their financial goals, but that their relationship with you will not expose them to the financial hardship of cybercrimes. Clients are not the only ones driving this discussion. Industry regulators have made it clear that their focus has also shifted to hit this topic dead center.

In September of last year, the Securities and Exchange Commission (SEC) announced that Voya Financial Advisors would pay $1 Million to settle charges relating to a 2016 scam that compromised the personal information of thousands of customers. It was the first time the SEC enforced its 2013 “identity theft red flags rule”, making it a wakeup call to firms everywhere.

Shortly after that announcement, the SEC issued an investigative report cautioning public companies to consider cyber threats when implementing internal accounting controls. In this investigation the SEC found nine companies wired nearly $100 million as a result of the frauds, most of which was unrecoverable. The firms and its employees were not fined, however the report indicated the new prioritization of cybersecurity by the SEC in its future examinations of advisers and brokers. The SEC went so far as to request millions in additional funding for additional personnel. Interestingly, the SEC is not alone in the focus of cybersecurity as the Financial Industry Regulatory Authority Inc. (FINRA) censured and fined a small broker-dealer $50,000 for having inadequate procedures for preventing hackers from transferring money from client accounts.

The regulators have made it clear, cyber security must be a focus of every firm and adviser. “Cybersecurity needs to be viewed as not only an operational risk but also a strategic function”. Sid Yenamandra, CEO and co-founder of cybersecurity firm Entreda.

    What must be done to satisfy the regulators and your clients? Here are our top 5 best habits for Advisers:
      1. Have a cybersecurity program/protocol in place. Be able to not only show this plan in writing to a regulator, but also articulate the plan, or at minimum key points of the plan, to your clients.
      2. Keep your program/protocol up to date. Make sure you are continually testing, reviewing and updating your cybersecurity policies to ensure they remain effective as threats evolve.
      3. Know who shares your information. Have an inventory of everyone who can access your data, including third-party technology vendors and independent contractors.
      4. Know who you are speaking with. Whether it is a conversation with a third party vendor, or a request from your clients. Verify, verify, verify. Verbal communication and verification of identity prior to proceeding with any request is key.
      5. Use secure methods to converse with your clients and vendors. Make sure you are not exposing your client to identity theft or fraud by sending their personal information, or requesting they send you information, via an unsecured channel.
How does Hanlon as your partner protect your Firm and clients?
By ensuring the security of our Adviser & Client Portal technology through:

  • System security encryption
    • Edge Security – We utilize Palo Alto “Next Generation” firewalls. Which not only function to protect our environment on media layers of the OSI Model (Physical, Data Link, and Network), they function all the way through Layer 7 (Up to and including Layer 7, Application). Capabilities range from Geo-fencing to application approval/denial, allowing our team to secure effectively secure the network perimeter.
    • Security Platform – Hanlon utilizes a comprehensive security platform, Crowdstrike, providing typical antivirus functionality, as well as advanced heuristics to stop threats before they can be an issue.
    • Least Privileged Access – Internally we follow the security principal, of least privileged access, meaning, access rights are only given if it is needed to for a specific job function. This helps reduce the risk associated with data loss from internal vectors.
  • Shared Document Vaults
    • Advisers can upload documents to the vault for viewing by the client, such as reports, proposals etc.
    • Clients can upload documents to the vault such as Brokerage statements, copies of tax forms or a POA document to provide to the Adviser.
  • 2 Factor Authentication – Adding another layer of verification for both Advisers and Clients prior to accessing our Platform.
  • Secure Emails – Office 365 email encryption to secure emails with private information when emailing with an Adviser’s office or Custodian.
  • Standard Operating Procedures that support the security of client information:
    • Requiring active lists from our Firms and Advisers of all authorized persons, with verification points, to ensure we know who we are speaking with and that they are authorized to conduct business on that Adviser’s behalf.
    • Requiring active lists from our Firms and Advisers of all authorized persons, with verification points, to ensure we know who we are speaking with and that they are authorized to conduct business on that Adviser’s behalf.
    • If hard copies of documents are received, Hanlon shreds the documents that contain private information when they are no longer needed.
  • Key card access is required to access the Hanlon offices, to ensure security of all information in the building.

To perform a health check on your firm or office, use the FINRA Cybersecurity Checklist. Or, check out the ‘Building the five pillars of SEC Cybersecurity Requirements As a (Registered) Investment Adviser’.

Cyber security, continues to be on the rise and we, as an industry, must be ever diligent to protect our clients. As such, Hanlon continues our dedication to protecting Advisors and clients.

Hanlon Investment Management is an SEC registered investment adviser with its principal place of business in the State of New Jersey with offices at 3393 Bargaintown Rd., Egg Harbor Township, NJ 08234. Being a registered investment advisor does not imply any level of skill or training. This material should not be construed as an offer to sell or the solicitation to buy any security. We are not soliciting any action based on this material. To the extent that this material discusses general market activity, industry or sector trends or other broad based economic or political conditions, it should not be construed as research or investment advice. Hanlon Investment Management and its representatives are in compliance with the current registration and notice filing requirement imposed upon registered investment advisers by those states in which Hanlon Investment Management maintains clients. Hanlon Investment Management may only transact business in those states in which it is notice filed, or qualifies for an exemption or exclusion from notice filing requirements. Any subsequent, direct communication by Hanlon Investment Management with a prospective client shall be conducted by a representative that is either registered or qualifies for an exemption or exclusion from registration in the state where the prospective client resides. For information pertaining to the registration status, service and fees of Hanlon Investment Management, please contact Hanlon Investment Management or refer to the Investment Adviser Public Disclosure web site (

For additional information about Hanlon Investment Management, including fees and services, send for our disclosure statement as set forth on Form ADV from Hanlon Investment Management using the contact information herein. Please read the disclosure statement carefully before you invest or send money.