Gillian Kunza's approach begins with understanding that all advisors and investment firms are targets
“Risks need to be viewed as more layered, complex issues spanning large time horizons” Gillian Kunza says of her approach to cybersecurity. “AI has really changed the game, and you can see that on a global scale now. Many attacks started a long time ago with data mining. Now you could be the victim of a breach that didn’t start with clicking a link on an email, it could have started a long time before that.”
Kunza is the co-founder and CEO of Designed Securities Ltd., a boutique dual-registered dealer that stresses advisor independence in its business model. Amid rapid changes in cybersecurity threats, amplified by the application of generative AI, she explained how her firm is approaching this area of risk as it impacts massive firms, banks, regulators and industry service providers.
The approach at Designed begins with an understanding that everyone is a potential target. Advisors are key hubs of client information, dealers are mandated with maintaining both client and advisor records, and regulators hold key pieces of dealer information. Every step along that interconnected ecosystem can be compromised. One way to protect against those risks, Kunza explains, is to segment and delineate as much as possible.
While regulation mandates the maintenance of certain records for key periods of time, Kunza notes that there are advantages to leaving out the “extra stuff.” Pieces of information, be they personal details about a client’s hobbies or tax forms that contain SIN numbers, can be assessed by necessity and disposed of if deemed unnecessary. Eliminating duplicate information, too, can help protect against a breach. So can maintaining separately secured repositories of data relevant to different areas. If there is a breach in one area, at least that doesn’t represent a wholesale breach of every piece of data maintained by a dealer.
While Kunza notes that this approach is “obvious” in theory, as organizations grow and roles overlap between business units or departments, sometimes the human tendency to keep information on hand can lead to weaknesses.
Generative AI adds a new dimension to this cybersecurity risk, personal details, writing styles, and even the sound of someone’s voice can be copied and impersonated by an AI tool to obtain key pieces of information. Including some personal details in client notes, however, is part of how advisors can meet regulatory requirements that their client notes represent more than just a checklist. Kunza highlights a tension between documenting only the most generic facts and documenting the client as a whole person. More detailed notes about the client as a person can help with credibility in the case of an audit but may leave that client more exposed to cybersecurity risk.
With the rise of generative AI also comes its use and application to support advisors and dealers. AI notetakers have become increasingly commonplace, and may be a helpful tool in crafting and maintaining quality notes about client meetings. However, giving that third-party large language model access to a client interaction also comes with some risks. Kunza says that her firm is following CIRO guidance as they explore the various applications of generative AI. They work with established organizations, with demonstrated credentials, for their overall technology stack, which gives them access to a large-scale tech platform and a single point of contact to ensure data privacy and security.
Designed bills itself as a facilitator for independent advice. Kunza notes that means many of their registered advisors take different approaches to the use of AI. Some are early adopters, while others are choosing to stick with how they’ve worked in the past. Kunza’s job is not to stand in the way of the direction any advisor chooses to take. However, she and her head office team must communicate risks, awareness, and safe protocol around cybersecurity as some Designed advisors start working more and more with AI.
Achieving that message of discipline means setting the tone with advisors early. Kunza explains that from their onboarding and training meetings with an advisor, the head office team at Designed will integrate cybersecurity practices into their processes. Advisors will be told, for example, not to send attachments via email and upload them to secure portals instead. Or told not to send personal information relevant to other members of their family. While some personal information has to be shared, Kunza and her team are clear on where those limits are and what they expect advisors to send. With all their advisors, Kunza says, they work to communicate with a cadence and diversity of messaging that reduces ‘email fatigue’ and manages to successfully disseminate key information.
While some firms cite their scale and operational integration as underpinnings for greater cybersecurity, Kunza argues that any firm of any scale can be a victim. Some of Canada’s biggest banks have been victims of cybersecurity breaches. She instead says that all firms can assume that the threats are out there and pull together a diverse range of protection measures to counter them and mitigate their potential impacts.
“You just have to take the best measures,” Kunza says. “Given your business model, given the higher areas of risk for your business, what data you have, where you have it, and work with your partners.”
