Advisors and financial planners work in a highly regulated industry. Over
the last 20 years, my annual compliance efforts and expenses have
increased from a dozen hours
and a few hundred dollars to
dozens of hours and five figures.
It’s a price I’m willing to pay to
remain in an intellectually interesting, behaviorally challenging
and (still) well-paid profession.
SEC and state regulators are focusing
more of their attention on cybersecurity
— conducting sweeps of broker-dealers
and advisors to evaluate firms’ vulner-abilities. Brokers, advisors and planners
are being warned to get their act together
or face serious regulatory consequences.
At a recent seminar, I heard compliance
experts caution any of us who lacked
meaningful cybersecurity protocols to
get our digital act together, and quickly.
When compliance consultants run a
seminar, their job is to scare us so we’ll
hire them. However, this time their tactics
were well-founded. The SEC is dead serious about this matter, and it should be.
I am not an expert. Outside of my own
experience ( 17 years operating a com-
pletely digital office), I’ve spent maybe
a month actively researching cyberse-
curity, cybercrime, cyberterrorism and
all things related to this issue.
Despite that handicap, the conclusion
of the experts whose papers I’ve read was
unambiguous: If you are a financial professional and you are not doing everything
you can to tighten up your digital security,
the SEC will be the least of your problems.
Our businesses, our government and
much of our personal lives rely on the
existence of a healthy and robust digitally
interconnected world. Yet the very real
danger from cyberthreats doesn’t create
the same instinctive fear response we
experience with physical risk.
In addition, because we have no col-
lective or personal memories of what it
feels like to experience a digital calamity,
we can’t conjure up what it would
feel like. This makes it next to im-
possible to feel a sense of urgency.
I think that our understand-
ing of these threats will become
more tangible if we reframe them
outside of their digital context and
try to imagine an analogue within
in the physical world.
Let’s say that on an otherwise
ordinary morning, you are walk-
ing down the hall to your office.
As you approach the door, you notice it’s
ajar. You carefully open it, and discover
that your office is full of strangers.
Most of them are just sitting silently
doing nothing; others are asleep on the
floor. A few are in your file room stuffing
account records into a large safe, while
others are just rummaging through files
making a complete mess of them. No
one appears to notice or care that you
As you look around the office there
are holes in the floor, in the walls, on the
ceiling — even through the window. Every
once in a while you see someone climb
in or out of one of these holes — and you
realize there are a lot of intruders in your
little office. Looking back at the front door,
you notice someone changing the lock.
You snap back into reality, pull out
Digital or Mental Defense?
When it comes to cybersecurity, the SEC may be the least of your problems
By MARSHALL JAFFE