Social media websites like Facebook and Twitter can help financial advisers tap a rich source of potential business. But there are risks associated — beyond the fear of someone posting false information about you — that can compromise an adviser's reputation and computer network. Some so-called “friends” could actually be hackers working to take over profile pages or infect users' computer systems with malware, say technology professionals.
Hackers, for example, could post embarrassing comments using the adviser's name. They could also try to harvest tidbits of information, including names, birthdays and photographs, and use them to help create false identities which could be used to open credit or other accounts. What's more, an adviser's hacked account can automatically send messages that contain malware directly through social networking sites. Or an adviser could unknowingly infect his or her own business network by opening a malware-laced link sent via message.
The trouble is, most people do not realize these things have happened until after the fact. Advisers are no different. “I don't think advisers have given much thought to protecting themselves from hacking on social media sites,” said Korrine Kohm, vice president at Ascendant Compliance Management, a consultancy in Salisbury, Connecticut.
It's all about being connected, but is it safe?
Companies typically have filters and firewalls in place to protect their internal computer networks. But those types of precautions usually do not extend to applications, or apps, advisers may run on portable devices, such as iPhones, to access social networking sites, according to Kohm.
Knowing the risks before jumping in can help advisers protect themselves from security breaches and possible regulatory trouble, compliance consultants said.
The ramifications extend beyond annoying clients or an expensive tech clean-up. Advisers must archive posts and messages they send through social networking for three years, according to recent regulatory guidance. But hackers could distort those archives by deleting or rewording prior posts, according to Conrad Jacoby, a senior attorney at Winston & Strawn LLP in Washington.
That could raise eyebrows among securities regulators, said Jacoby, who advises clients on managing information that is stored electronically. Altered posts could be embarrassing or violate securities industry advertising rules.
Social media monitoring and archiving software can help advisers keep track of their social media communications, including anything that is removed or altered. That could help eliminate concerns that regulators may have if a hacking problem crops up.
Facebook, Twitter and LinkedIn did not respond to emails from Reuters requesting comment. However, each include security information on their websites that advisers should review. A Facebook page, for example, explains threats, such as Koobface, a computer worm, and how to identify them. LinkedIn audits its system for possible “vulnerabilities and attacks,” according to its site.
Compliance programs that raise awareness of social media issues can help advisers manage hacking risks — and potential regulatory trouble, said Glen Gilmore, a social media lawyer and principal at Gilmore Business Network, a consultancy in Hamilton, New Jersey.
The SEC, in recent guidance, signaled that advisers should consider social media training “to promote compliance and to prevent potential violations of the federal securities laws.”
Training could include how to recognize sham messages that may contain viruses, or procedures to follow if a hacker takes over an adviser's profile page and spouts posts about, say, a new weight-loss supplement.
Advisers who diligently keep watch over their social networking profiles are also more likely to avoid problems. Recent guidance to advisers from Massachusetts Secretary of the Commonwealth William Galvin suggested reviewing social networking sites daily to ensure that their content complies with regulations. Ongoing reviews of social media profiles can help advisers tackle problems early when they do occur. That could include telling clients — quickly — that an embarrassing message about legalizing marijuana really came from a hacker.
“Companies have to anticipate there will be problems,” Gilmore said. “But how they handle it is what separates who masters social media and who doesn't.”