There has been a recent uptick in audit deficiencies derived from cybersecurity. For those who may not be familiar with this compliance term, it involves data security, including data collection, storage, and protection. As RIAs increase the extent to which they leverage technology to operate their firms, it is to be expected that there will be an increased regulatory focus on Cybersecurity, both at the state and SEC levels. For many firms, this is a scary topic. Why? Because regardless of the steps that are taken in order to minimize data security risks, there is no way possible that a firm can completely eliminate the possibility of a data breach. So, many compliance officers see cybersecurity as a problem for which no true solution exists. And rightfully so. However, it is expected that each firm make a reasonable effort to address cybersecurity within its compliance program. To make this as simple as possible, let’s break the process down into 3 steps:
- Assessment - A cybersecurity assessment is a process by which a firm evaluates its cybersecurity policies, procedures, and supervisory controls and documents this evaluation in order to gauge its effectiveness and make improvements in the program. An effective periodic assessment will review the nature, sensitivity, and location of information that the firm collects, processes and/or stores, and the technology systems it uses, as well as the internal and external cybersecurity threats to, and vulnerabilities of, the firm’s information and technology systems. It is also important that a firm reviews the security controls and processes that are currently in place to evaluate if those controls are sufficient. Another important question that is addressed during the cybersecurity assessment: What would be the impact should the information or technology systems of my firm become compromised? This is generally the question, that when posed, creates the sense of urgency regarding the need to improve the firm’s cybersecurity program.
- Strategy - Once the firm has completed the assessment and has identified areas of risk, the firm is prepared to create a strategy designed to prevent, detect, and respond to cyber security threats. Such a strategy could include controlling access to various systems and data through the management of user credentials, methods of authorization, and firewalls. For instance, a firm may evaluate the strength of the user IDs and passwords used to access various systems, or hire an IT contractor to perform firewall testing for network security. Also, in creating a strategy, firms should review their process surrounding data encryption, and data backup and retrieval. Making sure that clients have a secure method by which they can provide personal, nonpublic information to the firm is critical to this part of the process. A quick review of the business continuity plan for data backup and recovery items may be appropriate here as well.
- Implementation - Now that the assessment is complete and the strategy has been designed, it’s time for the firm to implement the strategy through written policies and procedures and training on prevention, detection, and response to cyber security threats. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts. This is the perfect time to double-check email communications to make sure clients are aware they should refrain from sending their personal information via email without encrypting or password protecting the document. Advisers could also mitigate exposure to any compliance risk associated with cyber threats through compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws. In this process, a firm would be well-served to consider reviewing their operations and compliance programs and assess whether they have measures in place that are designed to mitigate their exposure to cybersecurity risks. The key to this part of the process is documentation. It is advisable that firms leverage technology through a compliance task management software to record this process. That way, the next time there is a cyber security assessment there will already be a starting point and a documented process in place. At the very least, compliance officers are wise to thoroughly document each step of this process manually in Excel or Word, and make updates to the compliance manual as needed.
There is no perfect and complete defense for cyber intrusions. Cyber crimes can be committed by employees, third-party vendors, business competitors, thieves, or hackers. Fortunately, there is no regulatory expectation that a 100% solution be in place. But there is the expectation that, at minimum, the aforementioned measures are taken to try to protect client information and minimize the probability of occurrence and impact of such events.
About the Author
Scott is a licensed Securities Principal with experience in both RIA and broker-dealer compliance. He began his financial services career in 2006 as a Registered Representative with E*Trade Financial in Alpharetta, GA. He has also worked with J.P. Morgan Private Banking in Chicago, IL and with Wells Fargo Advisors in Chapel Hill, NC.
Scott’s most recent role before joining Team XYPN was as Compliance Officer of Carolinas Investment Consulting, in Charlotte NC. He’s a graduate of The University of North Carolina at Chapel Hill and holds FINRA Series 63, 65, 24, 4 and 53 Licenses.
Scott lives in Charlotte NC with his wife Meredith, and their two Sons Tyson and Jackson. In his free time, Scott enjoys watching sports, exercising, and operating the charitable organization he created upon his father’s passing.