The massive Equifax breach announced to the public in September 2017 only serves to fuel the daily angst I feel as the chief compliance officer/chief investment officer for our $200-plus million RIA. If Equifax, with its tremendous resources, can be compromised, what fate awaits us in an environment of unrelenting cyber warfare?
As a small RIA, we can’t mount the same defense against cyber criminals as large, deep-pocketed firms. However, we still have the same responsibility to safeguard our clients’ nonpublic information (NPI). This stark reality serves to crystalize our approach to building an adequate defense. Here is the foundation of our cyber plan:
We begin by acknowledging certain fundamentals about cybersecurity:
- We have a regulatory, if not sacred, responsibility to shelter our clients’ NPI.
- Our resources are limited in the fight to protect client NPI. This is true in terms of dollars, tools and, most likely, comprehension.
- Protecting NPI is fraught with risks both real and significant.
- Whatever our plan and process entail, we monitor constantly and seek continuous improvement.
- Most of what constitutes cybersecurity is very technical in nature, way above our pay grade and well out of our wheelhouse of expertise, so we must assemble a competent team to assist us in this endeavor.
- We can delegate much of what should be done, but we can’t delegate responsibility for protecting NPI. Ultimately, we shoulder the burden of protecting the personal information clients entrust to us.
Guidance provided by the Securities and Exchange Commission and templates offered by organizations such as National Institute of Standards are, in a word, overwhelming. When assessing your cyber posture, it is very easy to lose your mind in the cacophony of these complex and often arcane materials.
Understand where the risks lie. Whether at rest or in motion, data is subject to compromise. In either case, we must protect our clients’ information.
Inside the firewall are issues internal to our firm, outside of the firewall external issues related to the third parties with whom we work. Viewing cyber issues in this manner helps to maintain perspective and to digest manageable pieces.
Internally, assess people, systems and hardware. Is our team trained, aware and practicing sound cyber hygiene? Are team members following established processes? Do team members understand the importance of avoiding using firm systems for personal business?
Team members must comprehend that they risk a breach of our carefully constructed defenses when they conduct personal business on over our network. Specifically, our team should access their personal systems on our guest network, which is outside of the firewall.
Critically, employees are our greatest risk, and that risk simply falls into the realm of unintentional and unnecessary mistakes. They must be diligent and thorough; lazy and sloppy doesn’t work.
Customer service standards may need to be adjusted. For example, verbal confirmation of wire transfers is a must, which may be a departure from current practices. Don’t compromise, retrain staff and clients as necessary to conform to this environment. Beyond training, nurturing a culture sensitive to sound cyber practices and awareness is essential. Encourage staff to escalate concerns and problems quickly.
Externally, assess physical/logical data protection, documentation and communication. Are you able to confirm that they do what they say they do? Familiarize yourself with Service Organization Control reports. These reports provide valuable information on firm postures and practices. Vendors are not likely to convey the details of their cyber defenses. This is understandable. Then what are you looking for?
- How do vendors connect to our network?
- What encryption practices do they use? How do they manage credentials?
- How do they train team members?
- When are they required by contract to respond to breaches?
- How do they communicate about breaches?
When we cross the boundary between internal and external, when data moves from rest to transit, are we protecting data through secure email, encryption or by placing sensitive information in a portal or lockbox?
Assessing is largely a function of asking questions and then digging for the answers. However, there is also a “physical” component. Physical evaluations include:
- External vulnerability: Is your system vulnerable to exploitation by outside forces? Is your system susceptible to the know Common Vulnerabilities and Exposures (CVE) Entries? This testing involves pinging your firewall with these culprits to look for weaknesses.
- Penetration testing: Can your system be exploited using these same CVE Vulnerabilities.
- Internal vulnerability: Is your system already compromised internally or potentially vulnerable to exploitation?
We monitor a series of reports that emanate from several sources to keep tabs on our defenses. These reports are dedicated weekly and monthly compliance tasks. We are looking for anomalies and inconsistencies in these reports. We continuously refine what we look for and the reports we use.
Brutal honesty in your assessment only makes sense as you contemplate how to harden your defenses against the enemy. Don’t cheat yourself by doing less than a thorough assessment. Address the weaknesses identified by your evaluation.
- Hardware and configuration issues.
- Practices: policies, procedures, protocols.
- For example: Are employees authenticating clients on the phone? Are employees verifying instructions received by email?
- Wire transfers.
- Your controls fail?
- Your hardware fails?
- You are victim of a ransomware?
Answers to your questions ultimately bring you full circle to assessing what you’ve learned. Keep asking the questions and seeking appropriate answers. Document what you know and what you are doing.
Asking “what if” also entails developing your response to these various scenarios. Determine who you need to contact and when. Think thresholds such as internal and external IT professionals, legal counsel, law enforcement agencies, partners and, of course, impacted clients.
Your incident response plan (IRP) will vary based on the problem. How you respond is critically important to your clients as well as to regulators.
Don’t be overwhelmed by the complexity of cybersecurity. While the relative frequency of large-firm breaches is scary, smaller firms can’t wish the threat away or hide from the reality of this constant battle. While we do rely on external expertise, we remain at the center of arranging and maintaining our defenses against cyber threats.
This approach is not advocating a lack of depth, but simply tackling the problem in increments we can absorb. Nor is this to diminish the need to adhere to accepted standards or protocols.
Dig deeper with each iteration as your knowledge and confidence grows. Most importantly, stay engaged and avoid sticking your head in the sand out of fear or paralysis.
Timothy P. White, CFP, is managing director at Johnson & White Wealth Management, LLC, located in York, Pennsylvania. You can reach him at firstname.lastname@example.org.