Close Close

Regulation and Compliance > Cybersecurity

3 Steps to a Safer RIA

Your article was successfully shared with the contacts you provided.

What You Need to Know

  • Of the 6.3 billion global web attacks in 2020, 736 million targeted the financial services business.
  • The most likely cybersecurity threats for a small office are manageable, even for a non-technical employee.
  • Beware of non-computer items that offer gateways to your network, like coffee makers.

For RIAs, the biggest risk heading into 2022 isn’t stock market volatility. A much greater risk lies in cybersecurity.

Online attacks increased threefold over the last year, according to Akamai Technologies. Of the nearly 6.3 billion web attacks globally in 2020, over 736 million targeted the financial services sector.

While many of these targeted large institutions, RIAs are not immune to cybersecurity threats. RIAs hold valuable information about their clients. If a firm’s data is breached and shared, it may end the relationship.

Even when firms can avoid the worst-case scenario of stolen client data, a cyberattack or virus could be disruptive for clients and advisors alike. For these reasons, strengthening cybersecurity should top any RIA’s list of New Year’s resolutions.

The good news is that the most likely cybersecurity threats for a small office are manageable, even for a non-technical employee. The checklist below provides some baseline steps to help secure your technology in 2022.

Risks generally fall into three groups: 1) the risk of a “drive-by” hacker or automation-driven operation that scans the internet and email systems looking for a way into your systems, 2) the risk of an employee taking information, and 3) the risk that a natural disaster or other event disrupts business continuity.

The checklists below should help protect against each type of risk.

1. Minimize cybersecurity risk.

Enable hard drive encryption. Most operating systems make hard drive encryption easy, and this one small step makes it much more difficult for a hacker to reach your data. Just be sure to turn on encryption on all devices.

Install antivirus software … and keep it updated. Over-the-counter antivirus software protects against many of the computer viruses, trojans and ransomware. However, a small RIA firm might fall flat on systematic implementation and updates of this software. Establish policies for installing antivirus software before you provide devices to employees, and have a process for routinely updating the software across the organization. Don’t leave updates and renewals up to individual employees.

Don’t mix business and personal use on an office computer. Train employees not to check personal email on the company laptop. This is how attackers get to many systems. Firms also should prevent employees from downloading and installing new apps. How a firm establishes this culture varies. Some will use firewalls or “nannyware” that block access to non-work-related websites. However, such actions require discretion from management, as blocking too much of the web can be unpopular and bad for morale.

Back up data and systems … preferably in the cloud. If a work computer is locked up by ransomware, having systems and data backed up allows the firm to wipe the compromised computer clean without paying the ransom. In a matter of hours, the firm and employee could have information restored and be up and running again.

Avoid needlessly installing or connecting devices to the public internet at the office. Devices from refrigerators to coffee machines can be connected to Wi-Fi. While this offers convenience, each device is a potential gateway to the rest of your office network. Does this mean firms shouldn’t connect anything? Of course not. Just be thoughtful about what you do connect, and, most importantly, keep up with system updates and patches for every connected device.

2. Reduce risk from employees.

No firm wants to believe its own employees would steal valuable data and exploit it for personal gain. But there are easy ways to prevent that risk without creating a culture where employees feel you don’t trust them. These steps can help:

Never share passwords. Ensuring no one uses someone else’s password is a big step toward good security. When employees have their own login credentials, you can audit who, what, and when employees accessed different systems, and system access can be cut off for departing employees without disrupting other team members’ work. This practice starts at the top: management may be tempted to share passwords with assistants so they can handle administrative or business processes for them. Don’t do it!

Set hierarchies and access levels to data. Not everyone needs access to all files and systems. Classify and separate data by sensitivity, and give employees access only to the areas they need. This is one of the easiest ways to manage risk and keep sensitive data out of the wrong hands.

3. Preserve business continuity.

Technology disruptions aren’t always the result of a hack or ransomware. A loss of power or natural disaster can also cause firms to lose access to systems. These steps help preserve continuity:

Move systems to the cloud as soon as possible. Cloud-based data and software solutions offer security benefits, but converting to the cloud can be a time-consuming project.

For teams that have put off the transition, consider these two factors as you think about technology strategy in 2022: First, with every passing month, the amount of data you have to convert only gets larger. Second, it’s best to convert everything when your team can be calm and strategic, not when panic forces change.

Keep investing in remote-work capabilities. If a firm stays up to date with new cloud-based and remote technologies and updates file sharing, chat and other capabilities, employees can migrate to a remote work environment more quickly if needed.

Avoid local software installations. By switching over to cloud-based applications, as opposed to installing software locally on a physical hard drive, employees no longer face the risk of losing a favorite business app that is only installed on select computers or within a select office.

Use a cloud-based password manager. With passwords saved in the cloud, they don’t die along with the physical device they were stored in.

With these steps in place, RIA leaders will sleep more soundly knowing their firms are better protected on the cybersecurity front and can focus on helping clients navigate market volatility.

Manuel Balderas is chief technology officer of  Income Lab.