San Diego Business Journal

— Cybersecurity isn’t just an internal matter for wealth management firms.

Without educated clients and vetted vendors, firms may still find the security of their data at risk.

Dowling & Yahnke LLC, a wealth management firm based in San Diego, began planning an event for clients featuring a speaker who would address cybersecurity about a year ago.

Held recently, more than 200 people attended – many with questions spurred by the realization of the potential consequences of cybercrime following the breach at credit reporting agency Equifax, which exposed the personal information of about 143 million American consumers.

“It was one of our best attended events,” said Mark Muñoz, a partner at the firm, which manages more than $3.5 billion for roughly 1,000 clients, including families, endowments and foundations. 

The topic of the event had been determined by a survey asking about clients’ interests. Its date was set before the news of the Equifax breach was made public.

“It sparked a lot of conversation and a big response,” he said.

The firm has taken a number of steps to ensure clients’ data is protected, Muñoz said. All vendors Dowling & Yahnke works with are evaluated to ensure they take data security seriously, and those evaluations are reviewed annually.

“It’s not very exciting, but (these are) things we think are critical to mitigate risks out there,” he said.

The firm pays a company to monitor its network traffic for anomalies, and send out alerts if anything untoward is detected. That company also conducts penetration testing, using simulated attacks on the firm’s computer systems to test for weaknesses.

“We do not pretend to be experts in all these things, so we need to get best of breed solutions and leverage their expertise,” Muñoz said.

When new employees join the firm, their orientation includes a review of best cyber practices – and information about the damage that could result to the firm were they to disregard those methods.

New clients get a digital talking-to also, which includes information on how to properly establish accounts and use two-factor authentication for an added layer of security.

For more than two years, a committee at Dowling & Yahnke has been meeting twice monthly to track the latest information on cyber threats, review vendor evaluations and discuss other cybersecurity-related topics.

The wealth management firm HoyleCohen LLC, also based in San Diego, featured the topic in its latest newsletter to clients.

“Risk management is a big part of the wealth advisory business,” wrote Mark Delfino, the firm’s CEO and senior managing director. “We routinely help manage and monitor a myriad of risks: investment risks, liquidity risks, estate risks and health risks to name a few. Some are more apparent than others. Many can be mitigated and some can be avoided altogether with proper forethought and planning. Yet, few are as pervasive and as poorly understood as a risk that barely registered until this decade, namely cyber risk.”

Internally, HoyleCohen has an IT provider monitor its systems around the clock and test its back-up servers weekly. It also engages consultants to conduct penetration testing.

Staff at the firm, which has about $1.7 billion in assets under management, are trained in cybersecurity topics, and use redundancies built into the firm’s processes to ensure communications and transactions are authentic.

Like Dowling & Yahnke, HoyleCohen, too, reviews cybersecurity controls of its vendors.

The firm said it also takes a proactive approach if issues related to cybersecurity arise.

It recently alerted the CPA of a client that that person’s email had been hacked, and that someone was trying to steal their mutual client’s information.

Delfino said the firm plans to provide education via seminars and webinars to clients seeking more information about cyber security.

The firm urges clients to establish strong passwords and keep them up to date, use secure networks, be aware of the ways cybercriminals attempt to identity theft and monitor accounts regularly.

“This has become one of our highest priorities since effective use of technology has become critical to us internally, and capabilities like those becoming available through our client portal are becoming increasingly valuable to clients,” Delfino said.