Today’s independent financial advisors wear many hats, from portfolio manager to behavioral coach to chief financial officer of their own businesses. But there’s another responsibility that has become increasingly critical in recent years—that of identity protector. With major security breaches and other smaller-scale hacks on the rise, advisors need to understand where they may be vulnerable and what steps they should take to close any open doors to their clients’ sensitive information. It’s a big job, and it’s hard to know where to begin.
With this in mind, let’s look at some of the cybersecurity issues regulators are focusing on, as well as considerations for protecting your clients and your business.
FINRA’s Meeting of the Minds
Earlier this year, we attended the 2016 FINRA Cybersecurity Conference, which was a great opportunity to gather with industry peers and regulators and discuss the cybersecurity challenges and risks we face on a daily basis. One theme was abundantly clear. That is, we are all in this together and have a common goal: to protect clients from the constant onslaught of scams and the bad actors that perpetrate them. Being successful at this? Well, that’s a different and much larger story.
Cybersecurity blueprints. As you might expect, the presenters and panelists at the FINRA conference highlighted the scams that financial professionals are seeing now or eventually will see. Perhaps the most valuable takeaway was how financial companies can approach implementing a cyber-risk program using the plethora of best practices and resources that are publicly available. There was a lot of discussion and guidance regarding cybersecurity frameworks—in particular NIST or ISO2 7001—and how advisors can use these frameworks as “blueprints” to identify and mitigate risk exposure throughout their organizations.
Information sharing. Another key topic was cyber-threat information sharing, which is quickly becoming an invaluable and necessary lifeline that enables us to proactively protect our most important assets. The Financial Services Information Sharing and Analysis Center is one resource that financial institutions, broker/dealers, and regulators can use to share intelligence about threats and the actors associated with them.
Preventing common attacks is very much possible when you have the vital intelligence. Understanding the importance of this, the Department of Homeland Security is moving forward with the Cybersecurity Information Sharing Act. The biggest piece of cybersecurity legislation we’ve seen, it was passed just last year and includes preliminary guidance on how the private sector and government will communicate threat data. (To learn more, check out this post on the Data Protection Report.)
The SEC’s Focus on Cybersecurity
The SEC is another agency that has given cybersecurity special attention.
- In 2014, the SEC held a Cybersecurity Roundtable with industry representatives to discuss the importance of cybersecurity to the financial services industry.
- Shortly after this, the SEC conducted a Cybersecurity Examination Sweep, which involved targeted exams of more than 100 broker/dealers and investment advisers that assessed firms’ overall preparedness to deal with cyber attacks. The sweep exams requested information and documentation on how firms addressed risks related to cybersecurity, including governance, policies and procedures, network security, remote access to client information and fund transfers, vendors and due diligence, and detecting unauthorized third-party activity.
- In February 2015, the Cybersecurity Examination Sweep Summary was released.
- In September 2015, the SEC announced a second round of cybersecurity exams involving more testing of firm procedures and cybersecurity controls.
- In its Examination Priorities for 2016, the SEC announced that it will continue to focus on cybersecurity as a high-priority marketwide risk.
This activity makes it clear that the SEC will be including cybersecurity as a component of its broker/dealer and investment adviser exams for the foreseeable future. Further, it expects broker/dealers, investment advisers, and other financial firms to implement information security programs based on a framework of industry standards, practices, and guidelines. In fact, many of the questions in the first Cybersecurity Examination Sweep came directly from the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity. But what does this mean for you?
Preparation is critical. The SEC is currently conducting exams of broker/dealers and investment advisers of all shapes and sizes. During the exams, the SEC will ask to see your firm’s information security policies and procedures, interview staff, and request information on security incidents the firm has experienced. To prepare, you should review the SEC’s releases, including:
- The Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Initiative
- OCIE’s 2015 Cybersecurity Examination Initiative
Be ready to answer all of the questions contained therein. Also, expect a more in-depth exam experience, as the SEC has started asking much more technical and detailed questions than ever before.
Commonwealth’s Dedicated Solution
At Commonwealth Financial Network, we believe our advisors should not be alone in managing the security risk of their organizations. In addition to written information security procedures and templated security policies our affiliated advisors can customize for their own practices, we offer a service in which we wear the security hat and manage the necessary security hardware and software for our advisor offices. We call it the Commonwealth Shield. And we designed the Shield in response to SEC, FINRA, and state regulations that define advisors’ responsibilities for protecting clients’ personal information. The Shield includes multiple layers of important security safeguards, including:
- Hardware firewalls
- User provisioning and access management
- Update and patch management services
- Antivirus/antispyware protection
- Portable media security
- Secure remote access
The result? Our advisors get to spend less time worrying about security or trying to be security watchdogs and more time doing what they do well—being financial professionals.
Be Aware of the Risks
Whether your organization is large or small, someone has to assume the security hat. After all, the cyber thieves and hackers are committed—and they have the time, resources, and patience to achieve their goals. What we hope you take away from this discussion is that if you educate yourself on what the risks are and what strategies can be used to mitigate them, you will be taking an important step in safeguarding your business and your clients’ sensitive information.
To learn more about a fully integrated and intuitive technology platform that includes critical information security safeguards, download the Total Technology Solution guide.
This post originally appeared on Commonwealth Independent Advisor, a blog authored by subject-matter experts at Commonwealth Financial Network®, the nation’s largest privately held independent broker/dealer–RIA. To subscribe, please visit http://blog.commonwealth.com/