What the Securities and Exchange Commission calls an “incident” in its Incident Response Plan, most people would call a “breach,” Brian Edelman, founder of cybersecurity firm Financial Computer, said in a session on Wednesday at the TD Ameritrade National LINC 2016 conference.
For example, if an advisor’s laptop is stolen and it isn’t encrypted, that would constitute a breach; were it encrypted, it would only constitute an incident.
Neil Baritz, co-founder of Baritz & Colman LLP, referred to a case where the SEC fined R.T. Jones $75,000 following a breach over the firm’s lack of written cybersecurity policies rather than any consequences of the breach, which put the personally identifiable information (PII) OF 100,000 people at risk.
Baritz stressed that firm personnel need to understand the role they play in protecting client information.
Preparing for the Inevitable
Craig Moreshead, director of compliance for Regulatory Compliance, said in a following session that firms can’t prevent a breach, but they must take steps to minimize the impact. He said the chief information security officer can be an individual or a committee, and recommended forming a team including key members of the sales, human resources and technology divisions to be responsible for cybersecurity.
Firms also need to understand their third-party vendors’ cybersecurity policies, as a lot of client data is actually housed somewhere else.
He stressed there’s no cookie-cutter approach to creating a best practices policy. Advisors have to be introspective about their firm and what they need.
He added that a cybersecurity policy should also address physical data: who can access file cabinets, where are documents stored and who can access that part of the building.
Mobile devices need to be addressed, too. Regardless of who owns the device, if it’s being used for work, it should be covered by the policy.
Bryan Baas, managing director for TD Ameritrade Institutional and moderator of the panel, said employees may be eager to jump on any Wi-Fi network to avoid going over their mobile plan’s data limit, but an unprotected network can be easily hacked. It’s less expensive to pay for data overages than a recovery, he said.
Brian Edelman said that IT support is not the same as cybersecurity, and firms should approach a cybersecurity plan just like a financial plan. He warned that advisors be careful with the free version of many vendors’ products. For example, Gmail is the most commonly hacked email, but if the firm pays to have their own domain, it’s safer from attacks. Should You Report a Breach?
Part of the the trouble for R.T. Jones was the firm outsourced its cybersecurity processes, but didn’t properly vet the third-party firm, Baritz of Baritz & Colman said. When they discovered the breach, they self-reported it, but because no clients were hurt, it may not have been an appropriate first step.
That’s why Edelman said the first step after a breach is for an advisor to contact his or her lawyer. Attorney-client privilege can protect the advisor from sharing too much while determining what happened and how to respond.
After that key first step, firms should ensure all members of their incident response team, legal and technical, understand their roles and responsibilities.
Baritz stressed that firms need to understand whether, not just when, they need to report a breach to the SEC.
The last few years have been the most interesting in cybersecurity, Edelman said; there’s been “more movement” in protecting private client data in the last year than in the 30 years prior.
He noted that under the Sarbanes-Oxley Act, chief infomation officers’ personal assets can be at risk if a firm is found to have been negligent in protecting client data.
In a sentiment you don’t often hear, he added, “My hat’s off to the SEC,” noting that the financial services industry is the safest place for personal information.
— Read Advisors, Own Your Compliance on ThinkAdvisor.