Picture this, financial adviser.
Last month, you obeyed a fraudulent email from the address of a longtime client, which told you to transfer $100,000 from the client's account to the account of a relative. Last week, you unwittingly downloaded a program onto your office network that's been copying all the login information for every program and client account you've accessed since then. And last night, you fired a disgruntled employee who subsequently went home and deleted all the information from your CRM … because the employee still had access to the server despite being terminated.
Is this an extreme confluence of events? Yes. But this nightmare could become reality for any RIA or broker-dealer that ignores the myriad and constantly evolving cybersecurity threats attacking computers daily. The consequences extend beyond damage to the firm's operations and reputation. Regulators are
taking note of data breaches and cracking down on firms that fail to prevent them.
The Securities and Exchange Commission's Office of Compliance Inspections and Examinations
issued an alert in April 2014 detailing steps RIAs should take to shield clients from cyberthreats. Since late 2014, the OCIE has been conducting a sweep to examine over 50 broker-dealers and RIAs on its radar. The office calls on firms to create an IT governance system, assess their own risk of data breach, protect clients' assets, track how their technology interacts with third-party vendors and create written business continuity plans in case of disaster.
Advisers should think twice before assuming their firms are meeting those guidelines. As with any regulatory involvement, a firm and its advisers could face disciplinary action depending on the nature of lapses in cybersecurity. Good thing proper cybersecurity isn't magic. Advisers and firms should take the following concrete steps to protect clients as well as themselves. Think of it as the ABCs of the SEC.
No. 1: Create an IT governance program.
A good IT governance program needs an executive to take responsibility for cybersecurity, whether that person is a chief security officer, chief technology officer or chief information officer. The role can also be outsourced. A governance program needs policies on acceptable use of software, email procedures, encryption, passwords, remote access, disaster recovery and so on. Policies are great, but the office needs a security awareness program to generate buzz among staff about its importance. Conducting regular training sessions is the only way to stop some attacks.
No 2: Assess your firm's risk.
Assessing a firm's risk of cyberbreach calls for asking hard questions about the way things are done in house. Answering those questions requires having an inventory of all physical devices and software your staff uses for work. Maps of all network resources should show locations where the firm stores client data. Running disaster recovery tests should give a sense of how well recovery would occur in real situations.
No. 3: Protect your client's data.
Protecting clients' assets may be the most important responsibility for an RIA or broker-dealer. That's why the OCIE says that firms should preserve all records relating to clients and assets, and that firms should easily access these records. What's more, electronic records should not be rewritable or erasable. Strong protection automatically blocks viruses and spam, filters out dangerous websites, configures redundant firewalls, offers secure remote access and locks down mobile devices.
No. 4: Monitor your third-party technology vendors.
The fact that a firm contracts with vendors doesn't absolve it of how that vendor handles client data. Broker-dealers and RIAs must know exactly what data every vendor has and perform due diligence to ensure those vendors are suitable. In order to monitor systems and processes, firms must save periodic audit logs from firewalls and server access tools, then analyze them and test their security.
No. 5: Create a written business continuity plan.
Business continuity plans lay out what to do if disasters like fires and floods wreck the firm's office space or data centers, thus destroying computers and preventing employees from getting to work. Many options exist. Expensive secondary locations can be built to mirror the primary site. Snapshots of network servers can get backed up to secondary data centers and restored when disaster strikes. Many RIAs and broker-dealers are turning to cloud vendors, which provide shared multisite configurations at a lower cost than building it themselves.
Automating compliance with the cloud
Cloud-based IT specifically built for advisers may be the most effective solution for automating a firm's security and compliance programs. It also helps satisfy the SEC on crucial guidelines. The cloud lets firms securely access their computer platforms from any location and from any device. More advanced cloud-based IT can serve as a virtual chief security officer. These tools use email and file archiving, web protection, security monitoring, multisite configurations and device management to safeguard client data and the firm's overall operations.
Is the cloud mandatory? No. Advisory firms could attempt to build their own cybersecurity systems. But cloud computing is much easier than tackling the ABCs of the SEC alone.
Sam Attias is vice president of the financial services practice at External IT.