Cybersecurity is the most important issue facing the advisory industry and should be a top concern for regulators, according to most registered investment advisors polled recently by TD Ameritrade Institutional, and technology remains the top management challenge for them.
To break down what advisors and their financial firms need to do to better protect themselves from cyber risk, Think Advisor spoke at length with Sid Yenamandra.
The co-founder and CEO of tech security firm Entreda is well-versed in the potential causes of a major cybersecurity-related disruption. He spoke with us about the overall threat posed to the financial industry by cyber attacks and why the cyber insurance field is like the Wild Wild West in earlier interviews.
ThinkAdvisor: How can financial service firms determine the risks they face, and what should they do with that information?
Yenamandra: The SEC and FINRA and many of the state boards clearly say that cyber security is a key operational risk item that firms have to watch out for.
The way to identify operational risk essentially is to start with a comprehensive risk analysis of the organization, and that entails looking at everything — not just at your endpoints or your users — it’s looking at physical security.
There’s a number of governance frameworks that most organizations use as best practices.
For example, the National Institute of Standards and Technology has the 800-53 framework, which is commonly used by many organizations to assess risk. Another one could be an ISO 27001 framework or the General Data Protection Regulation framework.
Once you do the risk analysis, then you have to prioritize the risks — because you might find about 500 different things that you want to go ahead and fix, but you may not have the time or the resources to address every one of those items.
Most organizations would be best served to quantify these risks based on either business priorities or, from a prioritization standpoint, [looking at] how the risks that impact their business. Prioritize the top three [or] top five and then start to work on mitigation strategies one by one.
When we do a comprehensive [review], we [take] five different steps: identify, detect, protect, respond and recover.
We then assess the risks that an organization has relative to those five steps. Once we find the gaps, we list the top five or so risks. Then we risk score and … work on risk-mitigation strategies for each one.
For instance, if we find there’s a wide network of devices because a firm is issuing mobile devices, and [employees] are accessing mobile devices, those devices need to be secured. Therefore, we put some risk-mitigation strategies in place just to secure the mobile applications.
[If a firm has] a bunch of vendors, [we] make sure the vendors are not putting the organization at risk. An organization has to take stock of all its vendors, send questionnaires and do a “trust but verify” on all them.
There are all sort of risk-mitigation frameworks. The best tip is there isn’t enough time for most organizations, big or small, to be able to do all this in-house.
You can do some things in-house, but it’s best to get a fresh pair of eyes to look at what the operational risks are to an organization from an outside-in perspective, preferably a firm that has a lot of expertise doing this — have that firm basically document the process. It’s good from a fiduciary standpoint, as well as [for] checks and balances.
TA: What particular risks do should smaller firms, like RIAs who are solo practitioners, face?
Yenamandra: We get asked that all the time from our clients. They say, “You know I’m a small financial advisory firm. I’ve got three people maybe a couple of staff members five people in total, why would someone attack me? What do I have that is so valuable?”
Those kind of size questions certainly are valid, but are absolutely untrue.
A hacker is not looking at the size of the firm. Independent of the size of your firm, you could be part of a larger network, and so getting into your environment could allow a hacker to basically get into a larger group.