Advisors need to protect themselves from many of the same kinds of cybersecurity issues that have plagued other organizations across multiple industries in the past few years, according to compliance software maker RIA in a Box.
“Your employees can be your greatest cyber defense or your greatest weakness,” Oriana DeRose, senior vice president of sales at RIA in a Box, said Wednesday, during a webinar on RIA cybersecurity best practices and her company’s MyRIACompliance cybersecurity platform.
First, the good news for RIAs: “Many firms have developed a solid network security and endpoint device plan, which is a critical step forward,” she told listeners. But she added: “Most cybercriminals attempt to steal RIA client company data from three key entry points: (1) Tricking company employees into providing direct or indirect access — their attempts are always changing and we can all easily be tricked; (2) gaining access through your third-party vendors; and (3) hacking directly into your technology access.”
RIAs, therefore, “need more than a policy; you need to be able to put all of your policies into action to have an effective cyber program,” she said. It’s best for firms to try to make sure they’re following the security suggestions of the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), she said, noting NIST is the “framework that the Securities and Exchange Commission and state regulators focus on to provide guidance and recommendations.”
NIST’s framework includes five functions: Identify, Protect, Detect, Respond and Recover, RIA in a Box pointed out. These concepts are all pretty familiar to anybody who has worked for regulated entities before, according to DeRose.
Steps that RIAs should take to follow NIST’s recommendations include identifying who has access to the firm and its data and what level of access they have, as well as identifying what devices employees have, she said. Firms should also report security breaches, determine what the impact from them are and then have response, notification and correction plans in place that can be implemented to lessen harm from the current breach and try to prevent them from happening in the future, she pointed out. All of these should be kept in mind when an organization is developing a cybersecurity plan, she said, adding RIA in a Box also kept the NIST framework in mind when developing its cybersecurity solution.
The SEC has regulations that pertain to cybersecurity: Namely, Regulation S-P (the Safeguards Rule) and Regulation S-ID (the Identity Theft Red Flags Rule). But the SEC doesn’t have a “cybersecurity rule” per se, DeRose noted. However, “not having a direct rule for cybersecurity on the books does not mean that a firm should not or does not need to act,” she warned, noting the SEC has provided guidance in several areas, including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.
For one thing, the SEC has often identified cybersecurity issues related to ex-employees still having access to company systems and sensitive client information after leaving a firm, she noted. Therefore, it’s best for firms to make sure that once an employee leaves a company, that person can no longer access its systems and important information.