The U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations ran a study to gauge the cybersecurity practices of advisor websites. The study revealed that 74 percent of broker-dealers and investment advisers had experienced cybersecurity breaches (either directly or through vendors) and had gaps in their defenses.
Cyber theft is the fastest-growing crime in the United States.
Yet, according to a 2016 study, only 29 percent of financial advisors say they are “fully prepared to manage and mitigate the risks associated with cybersecurity.”
The consequences aren’t insignificant, especially for any business that deals with finances. A financial advisor whose site gets hacked is likely to suffer public embarrassment, loss of clients — potentially even lawsuits.
How to know if you need HTTPS
Here’s the short answer: if you have a website, you need HTTPS. It’s rapidly becoming the internet standard. Any website that transmits and stores personally identifiable information and firm-sensitive information such as financial records needs HTTPS.
HTTPS and secure sockets layer (SSL) certificates work together to create an encrypted communications channel between a website and the end user.
Financial advisor websites are an irresistible target for cyber criminals because of the amount of personal information collected and stored on them. Names, credit card numbers, passwords — these are paydirt to a hacker.
Doesn’t E&O insurance cover data breaches?
Data breaches are partially covered by Errors and Omissions (E&O) insurance, as it covers claims arising from errors in the performance of your services. This can include technology services, such as software and consulting. The problem is that not having proper security (e.g. encryption) on your network can open you up to the issue of neglect.
E&O claims can increase the cost of the coverage, or cause a decline in E&O insurance coverage altogether. It’s easier just to be proactive and get an SSL certificate for your website(s).
Anatomy of a data breach
Aspiring criminals purchase software programs and equipment on the open market that conduct Session Hijacking and Man-in-the-Middle Attacks. Using a tool such as the WiFi Pineapple, these attacks intercept information passing between a financial advisor’s website and their client’s personal computer. This is like the mailman opening up one of your private letters, making a copy, resealing it and then delivering it.
To get into a website, hackers must look for a security gap. There are several ways criminals do this:
- They capture session IDs and cookies that enable them to log in to customer accounts using the “Remember me” feature.
- They submit fake contact information to the advisor website via a form and then, while impersonating the advisor website, send emails to customers asking them to confirm their account info.
- They impersonate familiar WiFi networks and insert themselves between the user and the internet, intercepting any transmissions — including online orders and logins.
Preventing Man-in-the-Middle with HTTPS
HTTPS — which stands for Hypertext Transfer Protocol Secure — scrambles, or encrypts, communications between client computers and protected websites.
Whenever you go to a website that’s protected with HTTPS (versus the typical HTTP), the website establishes an encrypted connection with your site. Once this is set, all exchanges that occur between the two are encrypted. To anyone else on the network who is trying to eavesdrop, the communication looks like a garbled, unintelligible mess. In most cases, this thwarts hacking attempts.
How clients can tell if your website uses HTTPS
That’s simple. All prospects, partners and random strangers need to do is look in their address bar when they’re on your website to see if your site is secure or not. If they see an HTTP with no “S” they’re likely to pass on by.
Data breaches are making headlines almost weekly. So more and more people are looking for the HTTPS sign of safety in their browser bar before submitting personal information such as credit card numbers, birth dates or passwords to any website. If your website doesn’t display this prefix, it’s because you don’t have an SSL certificate.
To make the difference easier to spot, websites now display one of three icons at right. Because you deal in finances, it’s essential that a padlock shows when visitors view your website. Otherwise savvy clients will be quick to click away from your site and go somewhere safe.
How to install HTTPS on your site
I recommend that you contact a web developer or designer to help install an SSL certificate. I’ve installed more than 50 of these, and I prefer to get assistance. Web designers and developers install these all the time, and I suggest paying no more than $50 for help with installation.
If you decide to do the installation yourself, the folks at GoDaddy support are an excellent resource. Here’s the process:
- Request an SSL certificate. At GoDaddy, a standard SSL certificate costs well under $100 per year.
- Verify that you own the website through one of several methods. (You may be asked to provide further verification if you opt for the Organization Validation or Extended Validation certificate.)
- Install the SSL certificate. The installation process varies and depends on the type of server your website is hosted on.
- Keep the certificate up to date. Certificates typically last one to three years, so make sure you remember to renew them (or just set your GoDaddy certificate to auto-renew). Otherwise, users will see vulnerability alerts on your website.
Got a WordPress website? Learn how to add an SSL certificate to it here.
Expect a wait time of an hour or more
Standard SSL certificates are approved quickly and provide the green padlock icon in your address bar, as well as a secure site seal to place on your site.
The EV SSL certificate turns the visitor’s address bar green, making it even more obvious your site is secure.
EV SSL certificates also display the green padlock icon along with your company name in the address bar, and come with a seal to place on your site. EV SSL certificates take longer to approve because an actual human validates your ownership of the domain name, along with the existence and legitimacy of your business.
The benefits of HTTPS for advisor websites
It’s probably obvious by now, but anyone who dispenses financial counsel or advice simply must do all they can to convince clients their personal information will be protected from hackers. The benefits of having and SSL certificate include:
When customers see the green padlock in the address bar on your website, it builds trust that their information will be transmitted securely. Many prospective clients won’t proceed without this.
No “insecure” warnings displayed to visitors
Google recently announced that it will begin to display some web pages as insecure if they are not using HTTPS. You can imagine the effect this will have on prospective financial clients who see it.
As advisors, we have a fiduciary responsibility to our clients. We also have the oversight of several state and federal insurance departments, compliance departments of the companies we represent, and the SEC. We all pay for Errors and Omissions coverage, and without it, we are out of business.
Peace of mind
Knowing that our customers’ personal information — and the other sensitive information our companies manage — is protected from the prying eyes of cyber criminals provides priceless peace of mind.
These days, the risk of robbery and theft isn’t restricted to physical breaking and entering. Criminals now steal information online they can sell for profit. If you have a website, do yourself and your clients a favor.
Do everything possible to protect client privacy and your company’s reputation.
With HTTPS encryption on your financial advisor website, you’ll be doing your part to make the web a safer place while protecting your own future.
Disclaimer: The above content should not be construed as legal or insurance advice. Always consult an attorney or insurer regarding your specific risks.