Advisors need to protect themselves from many of the same kinds of cybersecurity issues that have plagued other organizations across multiple industries in the past few years, according to compliance software maker RIA in a Box.
“Your employees can be your greatest cyber defense or your greatest weakness,” Oriana DeRose, senior vice president of sales at RIA in a Box, said Wednesday, during a webinar on RIA cybersecurity best practices and her company’s MyRIACompliance cybersecurity platform.
First, the good news for RIAs: “Many firms have developed a solid network security and endpoint device plan, which is a critical step forward,” she told listeners. But she added: “Most cybercriminals attempt to steal RIA client company data from three key entry points: (1) Tricking company employees into providing direct or indirect access — their attempts are always changing and we can all easily be tricked; (2) gaining access through your third-party vendors; and (3) hacking directly into your technology access.”
RIAs, therefore, “need more than a policy; you need to be able to put all of your policies into action to have an effective cyber program,” she said. It’s best for firms to try to make sure they’re following the security suggestions of the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), she said, noting NIST is the “framework that the Securities and Exchange Commission and state regulators focus on to provide guidance and recommendations.”
NIST’s framework includes five functions: Identify, Protect, Detect, Respond and Recover, RIA in a Box pointed out. These concepts are all pretty familiar to anybody who has worked for regulated entities before, according to DeRose.
Steps that RIAs should take to follow NIST’s recommendations include identifying who has access to the firm and its data and what level of access they have, as well as identifying what devices employees have, she said. Firms should also report security breaches, determine what the impact from them are and then have response, notification and correction plans in place that can be implemented to lessen harm from the current breach and try to prevent them from happening in the future, she pointed out. All of these should be kept in mind when an organization is developing a cybersecurity plan, she said, adding RIA in a Box also kept the NIST framework in mind when developing its cybersecurity solution.
The SEC has regulations that pertain to cybersecurity: Namely, Regulation S-P (the Safeguards Rule) and Regulation S-ID (the Identity Theft Red Flags Rule). But the SEC doesn’t have a “cybersecurity rule” per se, DeRose noted. However, “not having a direct rule for cybersecurity on the books does not mean that a firm should not or does not need to act,” she warned, noting the SEC has provided guidance in several areas, including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.
For one thing, the SEC has often identified cybersecurity issues related to ex-employees still having access to company systems and sensitive client information after leaving a firm, she noted. Therefore, it’s best for firms to make sure that once an employee leaves a company, that person can no longer access its systems and important information.
The SEC has also provided guidance on vendor management, DeRose said, noting some of the largest data breaches in recent years may have been from the hacking of third-party vendor platforms. While it’s important to identify the vendors that pose the most risk to one’s firm, “all your vendors must be reviewed,” she said.
Top tips for vendor management include implementing policies and procedures to address third-party vendors, performing proper due diligence prior to selecting a vendor, performing proper ongoing due diligence reviews, conducting regular vendor risk assessments and signing non-disclosure and confidentiality agreements, according to RIA in a Box. Other vendor management tips: Limit the types of data and access given to a vendor, review the contract with a vendor, review the vendor’s business continuity plan, understand who from the vendor will have access to sensitive data and research the vendor online.
One common cybersecurity threat is ransomware, in which hackers seize control of a person’s computer or other computing device and/or specific data that’s on the device and then won’t relinquish control until a ransom is paid. Often the hacker threatens to distribute information he or she has seized until a ransom is paid, DeRose noted.
The top safety tips to combat ransomware are to be very cautious before providing remote access to your computer and following email phishing prevention best practices, which are: Not trusting the sender display name, being cautious if email looks suspicious or was unexpected, checking for grammatical and spelling errors, not clicking on links contained within emails and not downloading any attachments, according to RIA in a Box. Regardless of what industry one is in, it is, in fact, always best to not click on links in emails or download any attachments on emails unless you’re absolutely positive that the email was sent by somebody who can be trusted.
Client impersonation is a specific issue that RIAs face. After gaining access to a client’s email account, a “bad actor” may scan prior email correspondence between that client and an advisor, and then impersonate that client in emails sent to an advisor or somebody who works at the advisor’s firm, RIA in a Box noted. Its top safety tips to combat this problem are: Carefully reviewing client emails prior to responding or taking action, not being pressured into making mistakes and setting client expectations around wire confirmation procedures. The latter includes verbal confirmation and notifying a client that you will only call a number previously provided and on file. “Fraudulent wires are a much more common industry occurrence than most firms recognize due to underreporting,” according to RIA in a Box.
More than 1,700 RIA firms now subscribe to the RIA in a Box compliance platform, DeRose also said during the webinar. The company decided to build its own cybersecurity platform due to an increased regulatory focus at the state and federal levels, existing industry solutions not being adequate and general cybersecurity solutions being a poor fit for RIAs, she noted.
While providing a demonstration of the cybersecurity platform, Michael Lubansky, head of product at RIA in a Box, said various industry vendors have already teamed with his company on the platform and more vendors are expected to join over the next month.
— Check out Legendary Ex-Fraudster Frank Abagnale: How Not to Get Scammed on ThinkAdvisor.