Based on what we see happening in the RIA industry, we expect 20% of financial advisory firms will have some type of security breach from an outsider this year. With investor protections as their foremost concern, no wonder regulators are asking independent registered investment advisors (RIAs): how ready are you for a security breach?
Cybersecurity readiness encompasses a firm’s plan for prevention, investor protection and breach management. At its best, cybersecurity management is a three-legged stool, with equal attention and care given to technology, policies and people for optimal results.
Technology: The Starting Point
Cybersecurity management starts with having the right technology in place to prevent or sidestep disaster. Regulators want to see the kinds of firewall protections RIAs have in place, the usage of passwords and encryption, and whether advisors are using tools like multifactor authentification.
Technologies like firewall hardware and software, antivirus, anti-spam, content filtering, malware software and the like are foundational and mandatory. They identify issues based on what is already known about cybercrime and hacks — including ransomware — and have a huge role to play in prevention.
RIAs should minimize the number of passwords that employees need and consider using password vaults to help them do so. There should be encryption technology in place for email communications and file access. Firms that use cloud-based document vaults for file sharing with clients should take a multi-factor approach by encrypting files prior to putting them in a cloud vault.
Mobile devices used for business purposes, including phones, laptops and tablets, need to be secure and “dumbed down” with limited access points into the firm in the event the device is lost or stolen. The alternative — an older, but nevertheless well-tested option — is to have a policy requiring users to have separate devices for their own personal use, and not for the business of the firm or its clients.
Policies: Managing What You’ve Got
With the right technologies in place, regulators want to know how RIAs monitor and manage them. Firms need enforceable policies and procedures that reduce the frequency of system issues and improve resiliency when issues do happen.
Good security protocol means backing up the firm’s data frequently, and knowing what the data back up to. It means running and reviewing reports and periodically testing backups to ensure they will work in a crisis.
Technology management and oversight also extends to the firm’s external technology providers. According to regulators, RIAs are responsible for knowing what their technology vendors do with their data, and whether their procedures would pass an audit. This includes doing due diligence on the vendor’s procedures for keeping the firm’s data safe from external breaches and for protecting it from internal sources. For example, what if a vendor encrypts viruses? If the vendor or application provider is doing backups, advisors need to know when the backups are done, who has access and how to get data back should they decide to switch providers.
People: The Weakest Link