When Securities and Exchange Commission examiners evaluate a business’ cybersecurity preparedness, they may focus on how well you’ve trained employees to be responsible and how the education is tailored to specific job functions.
Make training intentional and keep staff updated. Instead of two hours of cybersecurity training a year, you might consider implementing 30 minutes of training each month with varying topics such as recognizing phishing scams and fake calls from the IRS or client pretenders.
Get employees involved in writing and revising your policies and procedures for the six key cybersecurity areas. It may also help to set up leaders with specific knowledge and response roles for different kinds of security events your business faces.
Extend Training to Clients
Internal education and communication about cybersecurity is necessary, but the responsibility extends to clients as well. The security of your operations is linked to the caution clients take with their information.
As you build client relationships, set some ground rules for secure communication; for example, emailing a client to set up a phone call when discussing certain material. Teach clients how to recognize phishing scams and other threats that are beyond your business operation reach, but could still affect you in asset loss and data breach claims. Easy ways to educate clients and staff include sending articles and podcasts (try Cyberwire and Security Now) that outline cybersecurity news and practices.
What to Do After a Cyberattack
Even with extra meetings and careful measures by staff and clients, data encryption and software updates, errors can happen. A study by the Ponemon Institute found that more than a quarter of all data breaches in the financial sector were a result of human error.
There are several resources to review when planning your incident response plan, including FINRA’s guide, which outlines steps to take in case of a security event.
You can first contain and mitigate an event by shutting down a system or disconnecting from a network, depending on the type of incident. Then your team should identify affected assets within the organization, restore systems from clean backups or rebuild them from scratch, install patches, change passwords, and tighten network perimeter security. Investigate the extent of data and/or monetary loss and identify root causes, all the while keeping a log of this information for client communications and insurance claims purposes.
As soon as you think necessary, notify clients of the event and assure them you’ll make them whole by offering reimbursement or credit monitoring services. This is a way to assuage their future cybersecurity fears.
You may even want to visit your local FBI field office and get to know a nearby FINRA regulatory coordinator so you can plan collaboratively and proactively. It’s useful to have investigators and regulators in your corner in the event of an attack or breach.
Use your resources by connecting with regulators and joining online groups like the Financial Services Information Sharing and Analysis Center, a non-profit dedicated to sharing threat intelligence and analysis for the financial services industry, to find threat and vulnerability information, conduct planning exercises and more.
Consider how investing in your cybersecurity plans can add to your value proposition. According to the 2016 Cybersecurity Assessment by the Financial Planning Association, 21% of advisors haven’t invested in internal procedures, 23% haven’t invested in external help and 20% aren’t aware of their firm’s exact cybersecurity investment.
Allocating dollars and education, internally and externally, to cybersecurity measures could give your practice a competitive edge and the fortification your business needs to keep growing.
--- Read 2 Pitfalls to Avoid, 7 Tips to Optimize Your Tech Solutions on ThinkAdvisor.